Oracle Reports: Generic SQL Injection Vulnerability via Lexical References

• Previous message: alexsrb_at_netsite.com: "Online Dating Software by AEwebworks - aeDating Script <= 4.0 Version Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 14 Sep 2005 21:10:28 -0000
To: bugtraq@securityfocus.com

Generic SQL Injection Vulnerability in Oracle Reports via Lexical References

 Name Generic SQL Injection Vulnerability in Oracle Reports via Lexical References
Systems Affected Generated Oracle Reports using Lexical References
 Severity High Risk
 Category SQL Injection
 Remote Exploitable Yes
 Vendor URL http://www.oracle.com
 Author Alexander Kornbrust (ak at red-database-security.com)
 Date 15 September 2005 (V 1.00)
 Advisory-URL
 http://www.red-database-security.com/wp/sql_injection_reports_us.pdf

Details
#######
Oracle Reports provides a feature called lexical references. A lexical reference is a placeholder for text that you embed in a SELECT statement.
It is possible to replace the clauses appearing after SELECT, FROM, WHERE, GROUP BY, ORDER BY, HAVING, CONNECT BY and START WITH.

If lexical references are in use it is possible to modify SQL statements via a simple URL. After adding the parameter "paramform=yes" in the URL a parameter form window appears (=SQL Injection with a menu).

An attacker can modify the parameter values and inject SQL statements.

Testcase
########
Executed an Oracle Report via an URL, e.g.
http://myserver:8889/reports/rwservlet?report=sqlinject3.rdf+userid=scott/tiger@ora9206+destype=CACHE+desformat=HTML

Add the value paramform=yes to the URL
http://myserver:8889/reports/rwservlet?report=sqlinject3.rdf+userid=scott/tiger@ora9206+destype=CACHE+desformat=HTML+paramform=yes

A parameter window appears. Inject the SQL statement by modifying the values in the parameter form and submit the query.

A detailed description including hardcopies is available in the PDF advisory:

http://www.red-database-security.com/wp/sql_injection_reports_us.pdf (English)

http://www.red-database-security.com/wp/sql_injection_reports_dt.pdf (German)

Affected systems
################
All generated reports using lexical references without input validation.

Patch Information
#################
This issue is not a bug in Oracle Reports itself. It is a problem of missing input validation in all generated Oracle Reports.

Fix
###
Validate all parameter values before the SQL statement is executed in an
After-Parameter-Form-Trigger.

History
#######
14-may-2004 Oracle secalert was informed to give them time to fix their reports in the E-Business Suite.

15-sep-2005 Red-Database-Security published this advisory

© 2005 by Red-Database-Security GmbH
http://www.red-database-security.com

• Previous message: alexsrb_at_netsite.com: "Online Dating Software by AEwebworks - aeDating Script <= 4.0 Version Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] Oracle Reports: Generic SQL Injection Vulnerability via Lexical References ... Generic SQL Injection Vulnerability in Oracle Reports via Lexical ... Systems Affected Generated Oracle Reports using Lexical References ... (Full-Disclosure) [NEWS] Oracle Reports Lexical References SQL Injection ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle Reports is ... these reports are using lexical references without input validation. ... (in this case Oracle Reports Developer) ... (Securiteam) oracle reports 6i no data ... I have an oracle reports that delivers no data when runned after ... supplying the parameters via form. ... The data can be queried using sql and the resultset is not empty. ... (comp.databases.oracle.tools)