News Document Title: ==================== Critical blind SQL Injection Vulnerbailities on Oracle Corp fixed Release Date: ============= 2012-04-13 Laboratory Article: =================== The well known Vulnerability Laboratory Researcher Shadab Siddiqui (23) from Indian has discovered this week a remote vulnerability with critical severity to oracle. Oracle Corporation (NASDAQ: ORCL) is an american multi-national computer technology corporation that specializes in developing and marketing computer hardware systems and enterprise software products – particularly database management systems. Shadab Siddiqui disovered multiple remote blind SQL Injection vulnerabilities on different parts of the Oracle web infrastructure. The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms, service and application compromise. The vulnerabilities are located on the shop, campus, education and academy service of oracle. Affected Service(s): [+] https://shop.oracle.com [+] https://campus.oracle.com [+] https://education.oracle.com [+] https://academy.oracle.com With coordination of the oracle security team (Steve Meert) the issue has been fixed quickly on all instances of the different web service. The hotfix on the web-servers has been released within 12 days after the issue has been analysed by oracle security team. [+] 2012-03-28: Vendor Notification [+] 2012-03-29: Vendor Response/Feedback [+] 2012-04-11: Vendor Fix/Patch [+] 2012-04-12: Public or Non-Public Disclosure Advisory: [+] http://www.vulnerability-lab.com/get_content.php?id=478 Press/News: http://news.softpedia.com/news/Oracle-Fixes-SQL-Injection-Flaws-on-its-Public-Sites-264140.shtml http://www.online.com.es/17213/actualidad/oracle-corrige-problemas-sql-inyection-en-sus-sitios-publicos/ http://news.hitb.org/content/oracle-patched-blind-sql-injection-flaws-public-websites