Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle Forms Insecure Temporary File Handling

Name Oracle Forms Insecure Temporary File Handling
Systems Affected Oracle Forms 4.5, 6.0, 6i, 9i
Severity Medium Risk
Category Information disclosure of table data
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 132 July 2005 (V 1.00)
Oracle Vuln# AS04
Time to fix 693


Details
If the number of records in a Oracle Forms application retrieved from the database exceeds the parameter "buffered records" Oracle Forms will create a temp file located in the temp directory of the application server.

This temp file contains an unencrypted copy of the database table used in the Forms application (e.g. creditcard). The default permission for these temp files (format: AAAa.TMP) is -rw-rw-r--. Every UNIX user on the application server can read the content of this file (e.g credit card information, ...).


Example

ls -la /tmp
-rw-rw-r-- 1 oracle oinstall 47600 Aug 17 20:30 AAAa15400.TMP

Workaround
Set the environment variable TMP, TEMP and TMPDIR to a secure location. It depends on the OS of the application server what environment variable will be used.
Delete old AAA* files on a regular basis.

Patch Information
Apply patches for the application server mentioned in Metalink Note 311038 .

History
19-aug-2003 Oracle secalert was informed
20-aug-2003 Bug confirmed
12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
13-jul-2005 Red-Database-Security published this advisory



2005 by Red-Database-Security GmbH - last update 04-nov-2005

Oracle HTMLDB

Oracle HTML DB is a rapid web application development tool for the Oracle database.

Using only a web browser and limited programming experience, you can develop and deploy professional-looking applications that are both fast and secure.