Today Alex has released a new paper on his site titled "SQL Injection in Oracle reports". Alex has found that self developed reports are vulnerable to SQL Injection if they are using "lexical references" without input validation. Most Oracle reports developers are not aware of this issue and by definition are not validating input (e.g from parameters). This is not a bug in the reports product itself but an issue with the developers. Alex states that the Oracle documentation does not alert developers to this issue.
Alex goes on to state that all Reports products since version 2.0 using "lexical references" are vulnerable. These could be self developed or for instance part of an Oracle application such as E-Business Suite.
Alex states that it is not possible to fix this issue by setting a parameters but only possible by fixing every report by adding input validation for all parameters. Oracle has not released a fix for this issue.
This is clearly a very big issue and a serious issue as potentially there are a large amount of vulnerable reports out there.
Alex then describes the problem in detail and includes an example vulnerable report that demonstrates how database usernames can be read using SQL Injection techniques. Alex then repeats that the issue is a big problem if you have a lot of reports using "lexical references" and gives a history of when he reported the bug to Oracle.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "A small correction to a post about DBMS_SYSTEM.KSDDDT"] [Next entry: "Alex's SQL Injection advisory is available in German"]
September 2005
- 0rm's Oracle password cracker orabf has been updated - 09/01/2005 by 09/01/2005
- CPU July 2005 patch set for Application Server Windows 9.0.2.3 has a problem - 09/03/2005 by 09/03/2005
- Security firm considers changing its policy on public disclosure of security vulnerabilities - 09/04/2005 by 09/04/2005
- Wifred notes that Patch 9.0.4.2.0 has a bug in Oracle forms - 09/05/2005 by 09/05/2005
- archivelog mode - or not? - 09/06/2005 by 09/06/2005
- jDUL / DUDE (Database Unloading by Data Extraction) - an alternative to DUL - 09/07/2005 by 09/07/2005
- Nice paper by KK Mookhey and Nilesh Burghate - Detection of SQL Injection and Cross-site Scripting Attacks - 09/09/2005 by 09/09/2005
- Amis talks about the need to remove USER from PL/SQL and SQL code - 09/12/2005 by 09/12/2005
- A small correction to a post about DBMS_SYSTEM.KSDDDT - 09/13/2005 by 09/13/2005
- Alex has released details about a common SQL Injection vulnerability in Oracle reports - 09/14/2005 by 09/14/2005
- Oracle Locks Up 'Federated' App Server - 09/15/2005 by 09/15/2005
- On Security, Is Oracle the Next Microsoft? - 09/17/2005 by 09/17/2005
- Some testing of orabf (Oracle password cracker) speed by Marcel-Jan - 09/19/2005 by 09/19/2005
- Oracle Proxy Users - 09/21/2005 by 09/21/2005
- Meet the experts (Oracle Security) at Oracle Open World - an open standard for securing Oracle - 09/24/2005 by 09/24/2005
- A new paper on a security hole in Application Server Control - 09/25/2005 by 09/25/2005
- Another Larry news article on security from OOW - 09/26/2005 by 09/26/2005
- Quite a nice post about debugging with DBMS_DEBUG - 09/27/2005 by 09/27/2005
- More details on default failed_login_attempts - 09/29/2005 by 09/29/2005
- more failed_login_attempts! - 09/30/2005 by 09/30/2005
Archives
Syndication
Powered by gm-rss 2.0.0
