News Document Title:
====================
Critical blind SQL Injection Vulnerbailities on Oracle Corp fixed


Release Date:
=============
2012-04-13


Laboratory Article:
===================
The well known Vulnerability Laboratory Researcher Shadab Siddiqui (23) from Indian has discovered this week 
a remote vulnerability with critical severity to oracle. Oracle Corporation (NASDAQ: ORCL) is an american 
multi-national computer technology corporation that specializes in developing and marketing computer hardware 
systems and enterprise software products – particularly database management systems. 

Shadab Siddiqui disovered multiple remote blind SQL Injection vulnerabilities on different parts of the Oracle 
web infrastructure. The vulnerability allows an attacker (remote) to inject/execute own sql commands on the 
affected application dbms. Successful exploitation of the vulnerability results in dbms, service and application 
compromise. The vulnerabilities are located on the shop, campus, education and academy service of oracle.

Affected Service(s):
                             [+] https://shop.oracle.com
                             [+] https://campus.oracle.com
                             [+] https://education.oracle.com
                             [+] https://academy.oracle.com

With coordination of the oracle security team (Steve Meert) the issue has been fixed quickly on all instances 
of the different web service. The hotfix on the web-servers has been released within 12 days after the issue has 
been analysed by oracle security team.

                             [+] 2012-03-28:	Vendor Notification
                             [+] 2012-03-29:	Vendor Response/Feedback
                             [+] 2012-04-11:	Vendor Fix/Patch 
                             [+] 2012-04-12:	Public or Non-Public Disclosure


Advisory:			
                             [+] http://www.vulnerability-lab.com/get_content.php?id=478

Press/News:
http://news.softpedia.com/news/Oracle-Fixes-SQL-Injection-Flaws-on-its-Public-Sites-264140.shtml
http://www.online.com.es/17213/actualidad/oracle-corrige-problemas-sql-inyection-en-sus-sitios-publicos/
http://news.hitb.org/content/oracle-patched-blind-sql-injection-flaws-public-websites