SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES



###########################################################

Name SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
Systems Affected Oracle APEX/HTMLDB
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 18 October 2006 (V 1.00)
Advisory http://www.red-database-security.com/advisory/oracle_apex_sql_injection_wwv_flow_utilities.html

Details
#######
The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL
injection vulnerability. Depending of the APEX application it is possible
to inject custom SQL statements. The entire SQL statement is accessible from
the URL in the parameter P_LOV. To protect the SELECT statement in the URL
Oracle is using a MD5 checksum. By modifying the SQL statement and recalculating
the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements
from the URL.

Sample URL:
http://apex:7777/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filter=&p_name=p_t02&p_element_index=1&p_hidden_elem_name=p_t01&p_form_index=0&p_max_elements=&p_escape_html=&p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session_id=15108399238201864297&p_eval_value=&p_return_key=YES&p_translation=N&p_lov=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r%20from%20demo_customers%20order%20by%20cust_last_name&p_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064



Affected Products
#################
This bug is fixed with 2.2 of APEX which is not part of the Critical Patch
Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation
to 2.2 or better 2.2.1.

Patches are currently not available for Oracle Application Express.

Patch Information
#################
This bug is fixed with Apex 2.2 or higher.



History
#######
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1
18-oct-2006 Red-Database-Security published this advisory


Additional Information
######################
An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html



Relevant Pages

  • [Full-disclosure] SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
    ... the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements ... This bug is fixed with 2.2 of APEX which is not part of the Critical Patch ... Patches are currently not available for Oracle Application Express. ...
    (Full-Disclosure)
  • Re: performance questions and help!
    ... The last link provided by Robert Klemme is the Oracle 10g R2 ... you a different execution plan than what was actually used when the ... using bind variables is usually better than specifying ... constants in the SQL statements. ...
    (comp.databases.oracle.server)
  • Re: Does Optimizer use P.A.T to calculate cost..?
    ... hints to the SQL statements to essentially force Oracle to use index ... I want to move away from using the 'old' method of manually specifying ... Some of those SQL statements that I brought over ... likely resulting in multi-pass sorts. ...
    (comp.databases.oracle.server)
  • Re: Modelling objects with variable number of properties in an RDBMS
    ... >> Oracle supports maximum 1000 columns. ... > I have a set of SQL statements suitable for IBM Informix Dynamic Server ... > the only limit out there - there are higher limits. ...
    (comp.databases.theory)
  • Re: Does Optimizer use P.A.T to calculate cost..?
    ... Scan through the trace file and look for the wait events ... I rely on NOWORKLOAD system statistics - the default behaviour. ... hints to the SQL statements to essentially force Oracle to use index ... Some of those SQL statements that I brought over ...
    (comp.databases.oracle.server)