what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

oracle-privilege.txt

oracle-privilege.txt
Posted Oct 22, 2008
Authored by Pete Finnigan | Site petefinnigan.com

Oracle Application Express (APEX) suffers from an excessive privileges issue in relation to the FLOWS database schema/user account.

tags | advisory
SHA-256 | 882a4730a9ac5f34d49c20a010a691e36ff7442ad833b301e662a5a8e1396987

oracle-privilege.txt

Change Mirror Download
Advisory for Oracle CPU October 2008 - APEX FLOWS excessive privileges
======================================================================

See http://www.petefinnigan.com/Advisory_CPU_Oct_2008.htm for details

Description
-----------

Oracle Appication Express (APEX) is a rapid development tool for
developing web based ineterfaces and applications that run against an
Oracle database. APEX is operated from a web browser and allows people
with limited programming experience to develop professional
applications. The issue located by PeteFinnigan.com Limited relates to
excessive privileges assigned to the FLOWS database schema/user account.

Risk
----

If the APEX schemas exist then the risk is still present without
application of the patch. The risk increases if the schema is accessible
due to a weak password or an additional attack vectors that allows code
to run as the APEX FLOWS account. Access to the schema, either directly
or indirectly are required to exploit this issue. Note that normally the
password for this account in a default installation is random and complex.

Workaround
----------

If APEX is not used in the database then it can be removed by dropping
the FLOWS schemas and removing the APEX functionallity.

Patch Information
-----------------

PeteFinnigan.com Limited advises customers to apply the January 2008 CPU
patch as soon as is practical. See Oracle's advisory for details of the
patch availability matrix.

Credit
------

Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.


cheers

Pete

--

Pete Finnigan
Principal Consultant
PeteFinnigan.com Limited

Registered in England and Wales
Company No: 4664901

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: 0044 (0)1904 791188
Fax : 0044 (0)1904 791188
Mob : 0044 (0)7742 114223
email: pete@petefinnigan.com
site : http://www.petefinnigan.com

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited. This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close