Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
Details The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL injection vulnerability. Depending of the APEX application it is possible to inject custom SQL statements. The entire SQL statement is accessible from the URL in the parameter P_LOV. To protect the SELECT statement in the URL Oracle is using a MD5 checksum. By modifying the SQL statement and recalculating the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements from the URL. Sample URL http://apex:7777/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filterme=p_t02&p_element_index=1&p_hidden_elem_name=p_t01&p_form_index=0&p_max_elements=&p_escape_html=&p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session_id=15108399238201864297&p_eval_value=&p_return_key=YES&p_translation=N&p_lov=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r%20from%20demo_customers%20order%20by%20cust_last_name&p_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064 Affected Products This bug is fixed with 2.2 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2 or better 2.2.1.. Keep in mind that APEX 2.2 is NOT running on Oracle Application Express. Patches are currently not available for Oracle Application Express. Patch Information This bug is fixed with Apex 2.2 or higher. History 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1 18-oct-2006 Red-Database-Security published this advisory 23-oct-2006 minor changes (Sample URL added) © 2006 by Red-Database-Security GmbH - last update 23-oct-2006 |