Multiple SQL injection vulnerabilities have been discovered in the Oracle E-Business Suite 11i and Oracle Applications 11.0 that could allow an attacker to take control of the database and applications.
The vulnerabilities were discovered in Oracle E-Business Suite 11i versions 11.5.1 through 11.5.8 and all Oracle Applications 11.0.
The vulnerabilities can be remotely exploited by an unauthenticated user with a browser by sending a specially crafted URL to the Web server, according to a security bulletin issued by Chicago-based Integrigy Corp. A patch from Oracle is required to solve the security issues.
The vulnerability was discovered by Stephen Kost, who said the vulnerability can be exploited by conducting SQL injection attacks. The vulnerabilities are caused due to unspecified input validation errors.
A SQL injection hole in software can be very serious, according to security experts. A security lapse in Oracle E-Business Suite could place financial data and other information in the hands of an attacker.
"There is generally some very sensitive data that is vulnerable here," said security expert Aaron Newman, chief technology officer and founder, New York-based Application Security Inc. "If you do a SQL injection, it will let you run pretty much any query that you choose and it can be very damaging."
Newman said that so far the specific location of the vulnerability remains unclear, making it somewhat more difficult for a hacker to discover the hole.
In an advisory issued by Oracle, the company said risk to exposure is high since anyone with a browser can exploit the vulnerability. There are no workarounds for the specific vulnerabilities, Oracle said.