[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unprivileged DB users can see APEX password hashes



Name              Unprivileged DB users can see APEX password hashes
Systems Affected  APEX 3.0 (optional component of 11.1.0.7 installation)
Severity          High Risk
Category          Password Disclosure
Vendor URL        http://www.oracle.com/
Author            Alexander Kornbrust (ak at red-database-security.com)
CVE               CVE-2009-0981
Advisory          14 April 2009 (V 1.00)


Details:
Unprivileged database users can see APEX password hashes in 
FLOWS_030000.WWV_FLOW_USER.

SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME    WEB_PASSWORD2
----------------------------------------------------------------------
YURI                 141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Additional information is available in the following advisory.


Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html


Patch Information:
Upgrade to Oracle APEX 3.2.


Verification:
Our Oracle database scanner Repscan was updated with the information from the 
Oracle
CPU April 2009 and can identify vulnerable databases. 
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan


History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the 
last 
6 years we reported several hundred vulnerabilities to Oracle.

--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com