[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, submit@xxxxxxxxxxx, vuln@xxxxxxxxxxx, vuldb@xxxxxxxxxxxxxxxxx, submit@xxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx
- Subject: Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
- From: Aditya K Sood <0kn0ck@xxxxxxxxxxxx>
- Date: Sun, 18 Jan 2009 19:12:59 +0530
Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2
CVE:
2008-5446
Description:
The oracle E Business including applications like I-Recruitment etc is
vulnerable to flaw which leads
to sensitive information disclosure about the deployment of oracle
application and server in a production
environment. The flaw persists in the E Business suite designed code
which allows malicious user to steal
sensitive information through "About Us Page" (shipped with E Business
Suite) by allowing guest access.
In addition to this a straight forward access is granted to attacker to
steal all the information which provide
potential attack surface for conducting stringent attacks.
The severity gets higher because the type of information is revealed.
This can be structured over two end points as:
1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.
Proof of Concept: Refer to the whitepaper for detail information
http://secniche.org/papers/orabs.pdf
Detection:
SecNiche confirmed this vulnerability affects the above oracle version
listed.
Disclosure Timeline:
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009
Links:
http://www.secniche.org/orabs.html
http://evilfingers.com/advisory/index.php
Vendor Response:
Oracle acknowledges this vulnerability and fix have been release in
critical advisory update of 13 January 2009
Oracle Critical Patch Update:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
Credit:
Oracle Credited Aditya K Sood for discovering this vulnerability
Disclaimer:
The information in the advisory is believed to be accurate at the time
of publishing based on currently
available information. Use of the information constitutes acceptance for
use in an AS IS condition. There
is no representation or warranties, either express or implied by or with
respect to anything in this document,
and shall not be liable for a ny implied warranties of merchantability
or fitness for a particular purpose or for
any indirect special or consequential damages.