Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Read File via iSQL*Plus load.uix

Name Read file via iSQLPlus load.uix
Systems Affected Oracle 10g AS iSQL*Plus
Severity Medium Risk
Category Read file on server
Vendor URL http://www.oracle.com/
Credit David Litchfield (<davidl at ngssoftware.com>)
Exploit http://www.ngssoftware.com/advisories/oracle23122004E.txt
Date 14 May 2005 (V 1.00)

Details

Read any file on the server. Every database user can exploit this vulnerability and read files, e.g. with cleartext passwords.

Example
1. Login to iSQLPlus (e.g. scott/tiger)
2. http://server:5560/isqlplus/load.uix
3. Enter an absolute path in the FILE input box.


Patch Information
Apply Oracle patch 68 or later (e.g. Critical Patch Update October 2005).



2005 by Red-Database-Security GmbH - last update 02-nov-2005

Hardening Oracle Application Server

  • Change Default Password in the Infrastructure Database
  • Protect the TNS Listener
  • Remove Demo Applications / Pages
  • Disable Reports Diagnosis Pages
  • Disable Forms Query/Where
  • Stop unneeded Components