SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES

2007-03-08 / 2007-03-09
Credit: red-database-security
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-7138
CWE: CWE-89


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

########################################################### Name SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES Systems Affected Oracle APEX/HTMLDB Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_sql_injection_ wwv_flow_utilities.html Details ####### The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL injection vulnerability. Depending of the APEX application it is possible to inject custom SQL statements. The entire SQL statement is accessible from the URL in the parameter P_LOV. To protect the SELECT statement in the URL Oracle is using a MD5 checksum. By modifying the SQL statement and recalculating the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements from the URL. Sample URL: http://apex:7777/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filter=& p_name=p_t02&p_element_index=1&p_hidden_elem_name=p_t01&p_form_index=0&p _max_elements=&p_escape_html=&p_ok_to_query=YES&p_flow_id=100&p_page_id= 11&p_session_id=15108399238201864297&p_eval_value=&p_return_key=YES&p_tr anslation=N&p_lov=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_fi rst_name%20d%2C%20customer_id%20r%20from%20demo_customers%20order%20by%2 0cust_last_name&p_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064 Affected Products ################# This bug is fixed with 2.2 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2 or better 2.2.1. Patches are currently not available for Oracle Application Express. Patch Information ################# This bug is fixed with Apex 2.2 or higher. History ####### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1 18-oct-2006 Red-Database-Security published this advisory Additional Information ###################### An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top