Digital Security Research Group [DSecRG] Advisory #DSECRG-09-010 http://dsecrg.com/pages/vul/show.php?id=110 Application: Oracle Database 10G Versions Affected: Oracle 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4 Vendor URL: http://oracle.com Bugs: PL/SQL Injections Exploits: YES Reported: 29.01.2008 Vendor response: 31.01.2008 CVE: CVE-2009-1991 SVSS2: 3.6 Date of Public Advisory: 26.10.2009 Authors: Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *********** Oracle Database 10G and 9g vulnerable to PL/SQL Injection. PL/SQL Injection found in procedure ctxsys.drvxtabc.create_tables Details ******* PL/SQL Injection found in procedure ctxsys.drvxtabc.create_tables ctxsys.drvxtabc.create_tables has 3 parameters idx_owner - varchar2 idx_name - varchar2 idxid - number idx_owner and idx_name are vulnerable to SQL Injection ******* Example: exec ctxsys.drvxtabc.create_tables('SH"."SH2KERR" (X NUMBER)--','yyyyyyyyy',2); Fix Information *************** Information was published in CPU October 2009. All customers can download CPU patches following instructions from: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html Credits ******* Oracle give a credits for Alexander Polyakov from Digital Security Company in CPU October 2009. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html Current advisory: http://dsecrg.com/pages/vul/show.php?id=110 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com