Oracle XML DB FTP Service Login Audit Vulnerability

Bugtraq ID:	26107
Class:	Design Error
CVE:	CVE-2007-5513
Remote:	Yes
Local:	No
Published:	Oct 17 2007 12:00AM
Updated:	Oct 31 2007 07:36PM
Credit:	David Litchfield <[email protected]> is credited with the discovery of this issue.
Vulnerable:	Oracle XMLDB 0 Oracle Oracle9i Standard Edition 9.2 .8DV Oracle Oracle9i Standard Edition 9.2 .8 Oracle Oracle9i Standard Edition 9.2 .7 Oracle Oracle9i Standard Edition 9.2 .6 Oracle Oracle9i Standard Edition 9.2 .3 Oracle Oracle9i Standard Edition 9.2 .2 Oracle Oracle9i Standard Edition 9.2 .2 Oracle Oracle9i Standard Edition 9.2 .1 Oracle Oracle9i Standard Edition 9.2 .1 Oracle Oracle9i Standard Edition 9.2 .0.5 Oracle Oracle9i Standard Edition 9.2 .0.3 Oracle Oracle9i Standard Edition 9.2 .0.2 Oracle Oracle9i Standard Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 .8DV Oracle Oracle9i Personal Edition 9.2 .8 Oracle Oracle9i Personal Edition 9.2 .7 Oracle Oracle9i Personal Edition 9.2 .6 Oracle Oracle9i Personal Edition 9.2 .0.5 Oracle Oracle9i Personal Edition 9.2 .0.3 Oracle Oracle9i Personal Edition 9.2 .0.2 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 Oracle Oracle9i Enterprise Edition 9.2 .8DV Oracle Oracle9i Enterprise Edition 9.2 .8.0 Oracle Oracle9i Enterprise Edition 9.2 .7.0 Oracle Oracle9i Enterprise Edition 9.2 .6.0 Oracle Oracle9i Enterprise Edition 9.2 .2 Oracle Oracle9i Enterprise Edition 9.2 .0.5 Oracle Oracle9i Enterprise Edition 9.2 .0.3 Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Enterprise Edition 9.2 .0 Oracle Oracle10g Standard Edition 10.1 .5 Oracle Oracle10g Standard Edition 10.1 .4.2 Oracle Oracle10g Standard Edition 10.1 .0.5 Oracle Oracle10g Standard Edition 10.1 .0.4 Oracle Oracle10g Standard Edition 10.1 .0.3.1 Oracle Oracle10g Standard Edition 10.1 .0.3 Oracle Oracle10g Standard Edition 10.1 .0.2 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Personal Edition 10.1 .0.4 Oracle Oracle10g Personal Edition 10.1 .0.3.1 Oracle Oracle10g Personal Edition 10.1 .0.3 Oracle Oracle10g Personal Edition 10.1 .0.2 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.1 .0.4 Oracle Oracle10g Enterprise Edition 10.1 .0.3.1 Oracle Oracle10g Enterprise Edition 10.1 .0.3 Oracle Oracle10g Enterprise Edition 10.1 .0.2 HP Oracle for OpenView for Linux LTU Service Bureaus 0 HP Oracle for OpenView for Linux LTU 0 HP Oracle for OpenView 9.1.1 HP Oracle for OpenView 8.1.7 HP Oracle for OpenView 9.2
Not Vulnerable:

Oracle XML DB FTP Service Login Audit Vulnerability

Oracle XML DB FTP service may incorrectly perform login audit trails in some circumstances. Attackers may exploit this issue to hide or obfuscate actual attack traces.

This issue affects Oracle 9ir2 and Oracle 10g Release 1.

NOTE: This issue was previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities) and has been given its own BID because further technical details are now available.

Oracle XML DB FTP Service Login Audit Vulnerability

A specific exploit for this issue is not required; an attacker need only add extra characters to their login credentials to exploit this issue.

Oracle XML DB FTP Service Login Audit Vulnerability

Solution:
The vendor released an advisory and updates to address this issue. Please see the references for more information.

Oracle XML DB FTP Service Login Audit Vulnerability

References:

• Oracle Homepage (Oracle)
  
• HPSBMA02133 SSRT061201 rev.6 - HP Oracle for OpenView (OfO) Critical Patch Updat ([email protected])
  
• Oracle audit issue with XMLDB ftp service ("NGSSoftware Insight Security Research" )
  
• High Risk Vulnerability in Oracle XMLDB FTP Service (NGSSoftware)
  
• Oracle Critical Patch Update - October 2007 (Oracle)