OSVDB ID: 22839

Title: Oracle Database SYS.KUPV$FT Multiple Function SQL Injection

Info

Disclosure
Jan 17, 2006

Discovery
Nov 01, 2005

Dates

Exploit
Unknown

Solution
Unknown

Description

 Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the SYS.KUPV$FT functions, ATTACH_JOB, OPEN_JOB and HAS_PRIVS not properly sanitizing user-supplied input to unspecified variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Classification

 Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Rumored
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

 Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle Corporation has released a patch to address this vulnerability.

Products

Oracle Corporation

Oracle Database

 Standard Edition 0.5
Standard Edition 0.4.2
Standard Edition 0.4
Standard Edition 0.3.1
Standard Edition 0.3
Standard Edition 0.2
Professional Edition 0.4.2
Professional Edition 0.4
Professional Edition 0.3.1
Professional Edition 0.3
Professional Edition 0.2
Enterprise Edition 0.4.2
Enterprise Edition 0.4
Enterprise Edition 0.3.1
Enterprise Edition 0.3
Enterprise Edition 0.2
Application Server 0.4.2
Application Server 0.4
Application Server 0.3.1
Application Server 0.3
Application Server 0.2

References

Credit
  • Alexander Kornbrust - akred-database-security.com - Red Database Security GmbH


Direct URL: http://osvdb.org/22839