Advisory for Oracle CPU October 2008 - APEX FLOWS excessive privileges
======================================================================

See http://www.petefinnigan.com/Advisory_CPU_Oct_2008.htm for details

Description
-----------

Oracle Appication Express (APEX) is a rapid development tool for
developing web based ineterfaces and applications that run against an
Oracle database. APEX is operated from a web browser and allows people
with limited programming experience to develop professional
applications. The issue located by PeteFinnigan.com Limited relates to
excessive privileges assigned to the FLOWS database schema/user account.

Risk
----

If the APEX schemas exist then the risk is still present without
application of the patch. The risk increases if the schema is accessible
due to a weak password or an additional attack vectors that allows code
to run as the APEX FLOWS account. Access to the schema, either directly
or indirectly are required to exploit this issue. Note that normally the
password for this account in a default installation is random and complex.

Workaround
----------

If APEX is not used in the database then it can be removed by dropping
the FLOWS schemas and removing the APEX functionallity.

Patch Information
-----------------

PeteFinnigan.com Limited advises customers to apply the January 2008 CPU
patch as soon as is practical. See Oracle's advisory for details of the
patch availability matrix.

Credit
------

Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.


cheers

Pete

-- 

Pete Finnigan
Principal Consultant
PeteFinnigan.com Limited

Registered in England and Wales
Company No: 4664901

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: 0044 (0)1904 791188
Fax  : 0044 (0)1904 791188
Mob  : 0044 (0)7742 114223
email: pete@petefinnigan.com
site : http://www.petefinnigan.com

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.