Advisory: Oracle Forms Insecure Temporary File Handling

ak_at_red-database-security.com
Date: 07/13/05

  • Next message: ak_at_red-database-security.com: "Advisory: Oracle Forms Builder Password in Temp Files"
    Date: 13 Jul 2005 19:36:33 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) Red-Database-Security GmbH - Oracle Security Advisory

    Oracle Forms Insecure Temporary File Handling

     Name Oracle Forms Insecure Temporary File Handling
     Systems Affected Oracle Forms 4.5, 6.0, 6i, 9i
     Severity Medium Risk
     Category Information disclosure
     Vendor URL http://www.oracle.com
     Author Alexander Kornbrust (ak at red-database-security.com)
     Date 13 July 2005 (V 1.00)
     Advisory AKSEC2003-006
     Oracle Vuln# AS04
     Time to fix 693 days
          
          

    Details
    #######
    If the number of records in a Oracle Forms application retrieved from the
    database exceeds the parameter "buffered records" Oracle Forms will create
    a temp file located in the temp directory of the application server. This
    temp file contains an unencrypted copy of the database table used in the Forms
    application (e.g. creditcard). The default permission for these temp files
    (format: AAAa<processid>.TMP) is -rw-rw-r--. Every UNIX user on the application
    server can read the content of this file (e.g credit card information, ...).

    Example
    #######
    ls -la /tmp
    -rw-rw-r-- 1 oracle oinstall 47600 Aug 17 20:30 AAAa15400.TMP

    Workaround
    ##########
    Set the environment variable TMP, TEMP and TMPDIR to a secure location. It depends on the OS of the application server what environment variable will be used.

    Delete old AAA* files on a regular basis.

    Patch Information
    ##################
    Apply patches for the application server mentioned in Metalink Note 311038 .

    History
    #######
    19-aug-2003 Oracle secalert_us was informed
    20-aug-2003 Bug confirmed
    12-jul-2005 Oracle published Oracle Critical Patch Update July 2005
    13-jul-2005 Red-Database-Security published this advisory

    2005 by Red-Database-Security GmbH


  • Next message: ak_at_red-database-security.com: "Advisory: Oracle Forms Builder Password in Temp Files"

    Relevant Pages