Info

Disclosure

Jan 14, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the MDSYS.SDO_TOPO_DROP_FTBL trigger script not properly sanitizing user-supplied input. This may allow an attacker to escalate privilege to MDSYS.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Solution: Upgrade, Third-Party Solution
Exploit: Exploit Public
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

Products

Oracle Corporation	Oracle Database Server 10g	10.1.0.5
		10.2.0.2

References

Security Tracker: 1021561
CVE ID: 2008-3979 (see also: NVD)
Bugtraq ID: 33177
Secunia Advisory ID: 33525
Related OSVDB ID: 51317 51318 51319 51326 51331 51332 51343 51345 51346 51347 51348 51349 51350 51351 51352 51353
Metasploit ID: 51354
Milw0rm: 8074
VUPEN Advisory: ADV-2009-0115
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-01/0113.html
News Article: http://www.eweek.com/c/a/Security/Oracle-Releases-Critical-Patch-Update-With-41-Fixes/
http://www.infoworld.com/article/09/01/09/Oracle_to_issue_41_security_patches_1.html
Vendor Specific Advisory URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/51354

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Oracle Corporation

Oracle Database Server 10g

References

Credit