Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability

Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version


The oracle E Business including applications like I-Recruitment etc is
vulnerable to flaw which leads
to sensitive information disclosure about the deployment of oracle
application and server in a production
environment. The flaw persists in the E Business suite designed code
which allows malicious user to steal
sensitive information through "About Us Page" (shipped with E Business
Suite) by allowing guest access.
In addition to this a straight forward access is granted to attacker to
steal all the information which provide
potential attack surface for conducting stringent attacks.

The severity gets higher because the type of information is revealed.
This can be structured over two end points as:

1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.

Proof of Concept: Refer to the whitepaper for detail information

SecNiche confirmed this vulnerability affects the above oracle version

Disclosure Timeline:
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009


Vendor Response:
Oracle acknowledges this vulnerability and fix have been release in
critical advisory update of 13 January 2009

Oracle Critical Patch Update:

Oracle Credited Aditya K Sood for discovering this vulnerability

The information in the advisory is believed to be accurate at the time
of publishing based on currently
available information. Use of the information constitutes acceptance for
use in an AS IS condition. There
is no representation or warranties, either express or implied by or with
respect to anything in this document,
and shall not be liable for a ny implied warranties of merchantability
or fitness for a particular purpose or for
any indirect special or consequential damages.

Relevant Pages