Oracle Database Server contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'SUBSCRIPTION_NAME' parameter in the 'DBMS_CDC_SUBSCRIBE' package not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.

Oracle has released a patch which attempted to patch this vulnerability. Subsequent testing has revealed that the actual source of the problem lies
within the underlying java class files. The April patch fails to properly load
the newer patched classes which means that these problems can still be
exploited on some versions. Oracle 10g systems with patchset 2 and the April patch have been tested and appear to mitigate the issue.

• Security Tracker: 1013693
• Bugtraq ID: 13236
• Secunia Advisory ID: 14935
• Metasploit ID: 15553
• Related OSVDB ID: 15735
• CVE ID: 2005-4832 (see also: NVD)
• ISS X-Force ID: 20159
• Keyword: Critical Patch Update - April 2005 DB02
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0093.html
  http://archives.neohapsis.com/archives/bugtraq/2005-07/0179.html
  http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0384.html
  http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0007.html
• Other Advisory URL: http://www.appsecinc.com/resources/alerts/oracle/2005-02.html
  http://www.securiteam.com/exploits/5ZP0T0AFGI.html
  http://www.securiteam.com/securitynews/5VP0P0AFGM.html
• Vendor URL: http://www.oracle.com/
• Vendor Specific Advisory URL: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf

• Esteban Martinez Fayo - infoappsecinc.com - Application Security, Inc.