-----BEGIN PGP SIGNED MESSAGE-----
Team SHATTER Security Advisory
SQL Injection in Oracle Application Server (WWEXP_API_ENGINE)
Audust 4, 2008
Oracle Application Server 22.214.171.124, 10.1.2.2 and 10.1.4.1
Yes (No authentication required)
This vulnerability was discovered and researched by Esteban Mart=EDnez
Fay=F3 of Application Security Inc.
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE
owned by PORTAL in the backend Oracle database server. The 'ACTION'
procedure of this package has an instance of SQL Injection that allows
attackers to create anonymous PL/SQL programs and execute any kind of
PL/SQL statements. The statements are executed with the privileges of
the PORTAL user, that has DBA privileges. The vulnerability can be
exploited using a web application and without authentication.
Exploitation of this vulnerability allows an unauthenticated attacker on
the Internet to gain full control of a backend Oracle database server
via a vulnerable web site.
Vendor was contacted and a patch was released.
There is no workaround for this issue.
Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.
Vendor Notification - 1/3/2008
Vendor Response - 1/8/2008
Fix - 7/15/2008
Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----