OSVDB ID: 81268

Title: Oracle Database Server / Enterprise Manager Database Grid Control /em/console/ecm/search/searchPage SCPLBL_INSTALLED_DATE0DI Parameter SQL Injection

Info

Disclosure
Apr 17, 2012

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Apr 17, 2012

Description

 Oracle Database Server and Oracle Enterprise Manager Grid Control contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /em/console/ecm/search/searchPage script not properly sanitizing user-supplied input to the 'SCPLBL_INSTALLED_DATE0DI' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Classification

 Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

 Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

Products

Oracle Corporation

Enterprise Manager Grid Control

 10.2.0.5
11.1.0.1

Oracle Database Server

 11.1.0.7
11.2.0.3
11.2.0.2

References

Credit

Unknown or Incomplete


Direct URL: http://osvdb.org/81268