Serious flaw found in Oracle 9i app server

Robert Westervelt, News Director

A vulnerability in Oracle 9i Application Server could allow attackers to use SQL injection attacks to steal sensitive information from vulnerable systems.

The flaw is caused by an input validation error in the portal component when user input is supplied to the Oracle 9i Application Server data dictionary tables. It is found in Oracle 9i Application Server Portal Release 1, v3. and prior versions, as well as Oracle 9i Application Server Portal Release 2, v9. and prior versions. Version and later are not vulnerable.

Exploiting the vulnerability isn't easy. An attacker could gain unauthorized access to data on the application server by injecting a SQL script through a URL. More specifically, it requires sending SQL queries to the data dictionary tables on the application server.

A SQL injection attack through the Internet is likely if the required conditions listed above are met, according to Oracle. The vulnerability could also be exploited through a corporate Intranet.

Patches have been released for v9. and v3. These are available at Oracle's Metalink site.


    Requires Free Membership to View

Download the Oracle advisory on the vulnerability and links to patches here in .pdf format

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: