Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Oracle Server flaw

Oracle Server flaw

by Nikola Strahija on April 11th, 2006 Vulnerability in Oracle Server allows under-privileged users to modify, read and delete data.


Red-Database-Security's Alex Kornbrust reported of an unpatched security hole in Oracle Server Enterprise Edition Version 9.2 to 10.2.0.3. The vulnerability allows read-only Oracle users to delete or modify rows of data used by Oracle applications.

Kornbrust said users with SELECT privileges on a database table, which allows them to read and display data from the table, can instead delete, update, and insert new data into a table using the exploit.

Even more, a sample code published on Oracle's website knowledgebase described to Oracle customers how the flaw could be exploited.

Company's spokesperson explained that Oracle is aware of the vulnerability and is preparing a patch to be included in the next Critical Patch Update. The company also removed the article from knowledgebase. Kornburst warned that malicious hackers with access to MetaLink may have already copied the exploit code from the knowledgebase article.

A malicious hacker would need to be able to log on to the vulnerable Oracle database, but even low level "read only" or guest accounts could be used to insert, update or delete data, he said.

-The impact of this on custom applications can be huge and eliminate the entire (user) role concept, he wrote in a post to the Full Disclosure security discussion list.

There is a workaround for those who are in a need for a quick fix: remove the CREATE VIEW privilege for low-level accounts.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »