-----BEGIN PGP SIGNED MESSAGE-----
Team SHATTER Security Advisory
SQL Injection in Oracle Application Server (WWEXP_API_ENGINE)
Audust 4, 2008
Oracle Application Server 22.214.171.124, 10.1.2.2 and 10.1.4.1
Yes (No authentication required)
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE
owned by PORTAL in the backend Oracle database server. The 'ACTION'
procedure of this package has an instance of SQL Injection that allows
attackers to create anonymous PL/SQL programs and execute any kind of
PL/SQL statements. The statements are executed with the privileges of
the PORTAL user, that has DBA privileges. The vulnerability can be
exploited using a web application and without authentication.
Exploitation of this vulnerability allows an unauthenticated attacker on
the Internet to gain full control of a backend Oracle database server
via a vulnerable web site.
Vendor was contacted and a patch was released.
There is no workaround for this issue.
Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.
Vendor Notification - 1/3/2008
Vendor Response - 1/8/2008
Fix - 7/15/2008
Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----