OSVDB ID: 86386

Title: Oracle Database Core RDBMS Component Alter FBA Table Name SQL Injection

Info

Disclosure

Oct 16, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Oct 16, 2012

Description

Oracle Database contains a flaw in the Core RDBMS component that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input to the Alter FBA Table. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Classification

Location: Remote / Network Access
Attack Type: Attack Type Unknown
Impact: Loss of Confidentiality, Loss of Integrity, Loss of Availability
Solution: Patch / RCS
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Authentication Required

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory in the references section.

Products

Oracle Corporation	Oracle Database	11.1.0.7
		11.2.0.2
		11.2.0.3

References

Security Tracker: 1027664
CVE ID: 2012-1751 (see also: NVD)
Secunia Advisory ID: 50985
ISS X-Force ID: 79291
Related OSVDB ID: 86379 86387
Packet Storm: http://packetstormsecurity.com/files/120476/Oracle-Alter-FBA-Table-SQL-Injection.html
Mail List Post: http://seclists.org/bugtraq/2013/Feb/103
Vendor Specific Advisory URL: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Other Advisory URL: https://www.teamshatter.com/?p=4115

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/86386

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Oracle Corporation

Oracle Database

References

Credit