AOH :: HP Unsorted U :: VA3180.HTM

Unprivileged DB users can see APEX password hashes



Unprivileged DB users can see APEX password hashes
Unprivileged DB users can see APEX password hashes



Name              Unprivileged DB users can see APEX password hashes
Systems Affected  APEX 3.0 (optional component of 11.1.0.7 installation)
Severity          High Risk
Category          Password Disclosure
Vendor URL http://www.oracle.com/ 
Author            Alexander Kornbrust (ak at red-database-security.com)
CVE               CVE-2009-0981
Advisory          14 April 2009 (V 1.00)


Details:
Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.

SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME    WEB_PASSWORD2
----------------------------------------------------------------------
YURI                 141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Additional information is available in the following advisory.


Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html 


Patch Information:
Upgrade to Oracle APEX 3.2.


Verification:
Our Oracle database scanner Repscan was updated with the information from the Oracle
CPU April 2009 and can identify vulnerable databases. 
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan 


History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the last 
6 years we reported several hundred vulnerabilities to Oracle.

--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.