News Stay informed about the latest enterprise technology news and product updates.

Serious flaw found in Oracle 9i app server

A flaw in Oracle 9i Application Server could allow attackers to use SQL injection attacks to steal sensitive information.

A vulnerability in Oracle 9i Application Server could allow attackers to use SQL injection attacks to steal sensitive...

information from vulnerable systems.

The flaw is caused by an input validation error in the portal component when user input is supplied to the Oracle 9i Application Server data dictionary tables. It is found in Oracle 9i Application Server Portal Release 1, v3. and prior versions, as well as Oracle 9i Application Server Portal Release 2, v9. and prior versions. Version and later are not vulnerable.

Exploiting the vulnerability isn't easy. An attacker could gain unauthorized access to data on the application server by injecting a SQL script through a URL. More specifically, it requires sending SQL queries to the data dictionary tables on the application server.

A SQL injection attack through the Internet is likely if the required conditions listed above are met, according to Oracle. The vulnerability could also be exploited through a corporate Intranet.

Patches have been released for v9. and v3. These are available at Oracle's Metalink site.


Download the Oracle advisory on the vulnerability and links to patches here in .pdf format

Dig Deeper on Oracle Application Server

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.