Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection in package XDB.DBMS_XDBZ0

Name SQL Injection in package XDB.DBMS_XDBZ0 [DB01]/[DB15]
Systems Affected Oracle 9i Rel.2 - 10g Rel. 2
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2006-5332 , CVE-2006-5341
Advisory 18 October 2006 (V 1.01)


Details
The package XDB.DBMS_XDBZ0 contains SQL injection vulnerabilities in the procedure enable_hierarchy_internal [DB01], disable_hierarchiy_internal [DB15]. Oracle fixed this problem by using bind variables and verifying table names.


Patch Information
Apply the patches for Oracle CPU October 2006.


History
1-nov-2005 Oracle secalert was informed about both bugs.
18-oct-2006 Oracle published CPU October 2006 [DB01], [DB15]
18-oct-2006 Advisory published
23-oct-2006 CVE added


2006 by Red-Database-Security GmbH - last update 23-oct-2006