Serious flaw found in Oracle 9i app server

A flaw in Oracle 9i Application Server could allow attackers to use SQL injection attacks to steal sensitive information.

A vulnerability in Oracle 9i Application Server could allow attackers to use SQL injection attacks to steal sensitive information from vulnerable systems.

The flaw is caused by an input validation error in the portal component when user input is supplied to the Oracle 9i Application Server data dictionary tables. It is found in Oracle 9i Application Server Portal Release 1, v3.0.9.8.5 and prior versions, as well as Oracle 9i Application Server Portal Release 2, v9.0.2.3.0 and prior versions. Version 9.0.2.6 and later are not vulnerable.

Exploiting the vulnerability isn't easy. An attacker could gain unauthorized access to data on the application server by injecting a SQL script through a URL. More specifically, it requires sending SQL queries to the data dictionary tables on the application server.

A SQL injection attack through the Internet is likely if the required conditions listed above are met, according to Oracle. The vulnerability could also be exploited through a corporate Intranet.

Patches have been released for v9.0.2.3.0 and v3.0.9.8.5. These are available at Oracle's Metalink site.

FOR MORE INFORMATION:

Download the Oracle advisory on the vulnerability and links to patches here in .pdf format

Dig deeper on Oracle Application Server

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataManagement

SearchBusinessAnalytics

SearchSAP

SearchSQLServer

TheServerSide

SearchDataCenter

SearchContentManagement

SearchFinancialApplications

Close