Unprivileged DB users can see APEX password hashes

2009.04.16
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Unprivileged DB users can see APEX password hashes [CVE-2009-0981] Name Unprivileged DB users can see APEX password hashes Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) Severity High Risk Category Password Disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust CVE CVE-2009-0981 Advisory 14 April 2009 (V 1.00) Details: Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER. SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS USER_NAME WEB_PASSWORD2 --------------------------------------------------------------------------- YURI 141FA790354FB6C72802FDEA86353F31 This password hash can be checked using a tool like Repscan. Additional information is available in the following advisory. Advisory: http://www.red-database-security.com/advisory/apex_password_hashes.html Patch Information: Upgrade to Oracle APEX 3.2. Verification: Our Oracle database scanner Repscan was updated with the information from the Oracle CPU April 2009 and can identify vulnerable databases. More Information about Repscan can be found here: http://www.sentrigo.com/repscan History: 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published About Red-Database-Security: Red-Database-Security is the leading company for Oracle security. Within the last 6 years we reported several hundred vulnerabilities to Oracle.

References:

http://seclists.org/fulldisclosure/2009/Apr/0153.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top