SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL injection vulnerability. Depending of the APEX application it is possible to inject custom SQL statements. The entire SQL statement is accessible from the URL in the parameter P_LOV. To protect the SELECT statement in the URL Oracle is using a MD5 checksum. By modifying the SQL statement and recalculating the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements from the URL.
This bug is fixed with 2.2 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2 or better 2.2.1.. Keep in mind that APEX 2.2 is NOT running on Oracle Application Express. Patches are currently not available for Oracle Application Express.
This bug is fixed with Apex 2.2 or higher.
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1
18-oct-2006 Red-Database-Security published this advisory
23-oct-2006 minor changes (Sample URL added)
© 2006 by Red-Database-Security GmbH - last update 23-oct-2006