what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

oracle_apex_sql_injection_check_db_password.txt

oracle_apex_sql_injection_check_db_password.txt
Posted Jul 19, 2007
Authored by Alexander Kornbrust | Site red-database-security.com

Oracle APEX suffers from a SQL injection vulnerability in the function wwv_flow_security.check_db_password.

tags | advisory, sql injection
SHA-256 | be85cdf82928543a15cd632048bd34f09111e4e5b7b86a1a31f11c3889e30768

oracle_apex_sql_injection_check_db_password.txt

Change Mirror Download
SQL Injection Vulnerability in Oracle APEX CHECK_DB_PASSWORD
#######################################################
This advisory
<http://www.red-database-security.com/advisory/oracle_apex_sql_injection_check_db_password.html>

Name SQL Injection Vulnerability in Oracle CHECK_DB_PASSWORD
Systems Oracle APEX
Severity Medium Risk
Category SQL Injection
Author Alexander Kornbrust (ak at red-database-security.com)
Date 17 July 2007 (V 1.00)


Details
########
The function wwv_flow_security.check_db_password contains a SQL injection vulnerability.
Oracle is using the ALTER USER command to change the password of a database user without
doing an input validation of the password (=typical Oracle PL/SQL programming fault).

APEX 3.0.1 is now doing an input validation on the user password. Apex 3.0.1 is used in
Oracle 11g.


Old, vulnerable code
####################
FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN BOOLEAN IS
BEGIN
IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN
RETURN FALSE;END IF;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
L_STMT:= 'ALTER USER "' || P_USER_NAME || '" IDENTIFIED BY "' || P_PASSWORD||'"';
EXECUTE IMMEDIATE L_STMT;


New code
########
Oracle is now doing a length check of the password (30 characters). Good idea. I'm
interested to see if this is changed in 11g where passwords up to 50 characters are
allowed. One part of the input validation is stupid code. If the password contains a
chr(34) Oracle throws an error message.
chr(34) is never executed. Even if this code would be executed this could be bypassed
quite easily (e.g. chr( 34) or chr(34 ) or chr(35-1) or ...)


FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN BOOLEAN IS
BEGIN
IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN
RETURN FALSE;END IF;
IF LENGTH(P_PASSWORD) > 30 OR INSTR(P_PASSWORD,'"') > 0 OR INSTR(LOWER(P_PASSWORD),'chr(34)') > 0 THEN RETURN FALSE;END IF;

BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
L_STMT:= 'ALTER USER "' || P_USER_NAME || '" IDENTIFIED BY "' || P_PASSWORD||'"';
EXECUTE IMMEDIATE L_STMT;



Affected Products
#################
This bug is fixed with 3.0.1 of APEX which is not part of the Critical Patch Update July 2006. It's necessary to upgrade your APE installation to 3.0.1 or higher. Apex 3.0.1 is compatible with Oracle Application Express.

Patch Information
#################
This bug is fixed with Apex 3.0.1 or higher.



History
#######
07-may-2007 Oracle secalert was informed
07-may-2007 Bug confirmed
29-jun-2007 Oracle released APEX 3.0.1
17-jul-2007 Oracle published CPU July 2007 and recommends to update to 3.0.1
17-jul-2007 Red-Database-Security published this advisory


Analysis and CVE entries of the Oracle CPU
###########################################
<http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html>


(c) 2007 by Red-Database-Security GmbH
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close