Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability

2009.01.19
Credit: Aditya K Sood
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Version Affected: Oracle E-Business Suite Release 12, version 12.0.6 Oracle E-Business Suite Release 11i, version 11.5.10.2 CVE: 2008-5446 Description: The oracle E Business including applications like I-Recruitment etc is vulnerable to flaw which leads to sensitive information disclosure about the deployment of oracle application and server in a production environment. The flaw persists in the E Business suite designed code which allows malicious user to steal sensitive information through "About Us Page" (shipped with E Business Suite) by allowing guest access. In addition to this a straight forward access is granted to attacker to steal all the information which provide potential attack surface for conducting stringent attacks. The severity gets higher because the type of information is revealed. This can be structured over two end points as: 1. If an application is hosted on internet with external interface. 2. If an application is hosted in organization production environment. Proof of Concept: Refer to the whitepaper for detail information http://secniche.org/papers/orabs.pdf Detection: SecNiche confirmed this vulnerability affects the above oracle version listed. Disclosure Timeline: Disclosed: 25 Sept 2008 Reply : 26 Sept 2008 Oracle Fix and Release Date. 13 January 2009 Links: http://www.secniche.org/orabs.html http://evilfingers.com/advisory/index.php Vendor Response: Oracle acknowledges this vulnerability and fix have been release in critical advisory update of 13 January 2009 Oracle Critical Patch Update: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Credit: Oracle Credited Aditya K Sood for discovering this vulnerability Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

References:

http://seclists.org/bugtraq/2009/Jan/0170.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top