News Document Title:
====================
Critical blind SQL Injection Vulnerbailities on Oracle Corp fixed
Release Date:
=============
2012-04-13
Laboratory Article:
===================
The well known Vulnerability Laboratory Researcher Shadab Siddiqui (23) from Indian has discovered this week
a remote vulnerability with critical severity to oracle. Oracle Corporation (NASDAQ: ORCL) is an american
multi-national computer technology corporation that specializes in developing and marketing computer hardware
systems and enterprise software products – particularly database management systems.
Shadab Siddiqui disovered multiple remote blind SQL Injection vulnerabilities on different parts of the Oracle
web infrastructure. The vulnerability allows an attacker (remote) to inject/execute own sql commands on the
affected application dbms. Successful exploitation of the vulnerability results in dbms, service and application
compromise. The vulnerabilities are located on the shop, campus, education and academy service of oracle.
Affected Service(s):
[+] https://shop.oracle.com
[+] https://campus.oracle.com
[+] https://education.oracle.com
[+] https://academy.oracle.com
With coordination of the oracle security team (Steve Meert) the issue has been fixed quickly on all instances
of the different web service. The hotfix on the web-servers has been released within 12 days after the issue has
been analysed by oracle security team.
[+] 2012-03-28: Vendor Notification
[+] 2012-03-29: Vendor Response/Feedback
[+] 2012-04-11: Vendor Fix/Patch
[+] 2012-04-12: Public or Non-Public Disclosure
Advisory:
[+] http://www.vulnerability-lab.com/get_content.php?id=478
Press/News:
http://news.softpedia.com/news/Oracle-Fixes-SQL-Injection-Flaws-on-its-Public-Sites-264140.shtml
http://www.online.com.es/17213/actualidad/oracle-corrige-problemas-sql-inyection-en-sus-sitios-publicos/
http://news.hitb.org/content/oracle-patched-blind-sql-injection-flaws-public-websites