Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
- From: Aditya K Sood <0kn0ck@xxxxxxxxxxxx>
- Date: Sun, 18 Jan 2009 19:12:59 +0530
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 18.104.22.168
The oracle E Business including applications like I-Recruitment etc is
vulnerable to flaw which leads
to sensitive information disclosure about the deployment of oracle
application and server in a production
environment. The flaw persists in the E Business suite designed code
which allows malicious user to steal
sensitive information through "About Us Page" (shipped with E Business
Suite) by allowing guest access.
In addition to this a straight forward access is granted to attacker to
steal all the information which provide
potential attack surface for conducting stringent attacks.
The severity gets higher because the type of information is revealed.
This can be structured over two end points as:
1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.
Proof of Concept: Refer to the whitepaper for detail information
SecNiche confirmed this vulnerability affects the above oracle version
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009
Oracle acknowledges this vulnerability and fix have been release in
critical advisory update of 13 January 2009
Oracle Critical Patch Update:
Oracle Credited Aditya K Sood for discovering this vulnerability
The information in the advisory is believed to be accurate at the time
of publishing based on currently
available information. Use of the information constitutes acceptance for
use in an AS IS condition. There
is no representation or warranties, either express or implied by or with
respect to anything in this document,
and shall not be liable for a ny implied warranties of merchantability
or fitness for a particular purpose or for
any indirect special or consequential damages.
- Prev by Date: [ GLSA 200901-12 ] noip-updater: Execution of arbitrary code
- Next by Date: Web Hacking Incidents update for Jan 19th
- Previous by thread: [ GLSA 200901-12 ] noip-updater: Execution of arbitrary code
- Next by thread: Web Hacking Incidents update for Jan 19th