Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: va2362.htm

Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability



Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability




Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2

CVE:
2008-5446

Description:
The oracle E Business including applications like I-Recruitment etc is
vulnerable to flaw which leads
to sensitive information disclosure about the deployment of oracle
application and server in a production
environment. The flaw persists in the E Business suite designed code
which allows malicious user to steal
sensitive information through "About Us Page" (shipped with E Business
Suite) by allowing guest access.
In addition to this a straight forward access is granted to attacker to
steal all the information which provide
potential attack surface for conducting stringent attacks.

The severity gets higher because the type of information is revealed.
This can be structured over two end points as:

1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.

Proof of Concept: Refer to the whitepaper for detail information
http://secniche.org/papers/orabs.pdf 

Detection:
SecNiche confirmed this vulnerability affects the above oracle version
listed.

Disclosure Timeline:
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009

Links:
http://www.secniche.org/orabs.html 
http://evilfingers.com/advisory/index.php 

Vendor Response:
Oracle acknowledges this vulnerability and fix have been release in
critical advisory update of 13 January 2009

Oracle Critical Patch Update:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html 


Credit:
Oracle Credited Aditya K Sood for discovering this vulnerability

Disclaimer:
The information in the advisory is believed to be accurate at the time
of publishing based on currently
available information. Use of the information constitutes acceptance for
use in an AS IS condition. There
is no representation or warranties, either express or implied by or with
respect to anything in this document,
and shall not be liable for a ny implied warranties of merchantability
or fitness for a particular purpose or for
any indirect special or consequential damages.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH