Oracle Database SQL注入漏洞

时间:2006-02-25 来源: 作者: 点击:
漏洞信息 Oracle是一款商业性质功能强大的数据库。 Oracle SYS.KUPV$FT_INT包含多个SQL注入问题,远程攻击者可以利用漏洞获得敏感信息。 SYS.KUPV$FT_INT包在函数UPDATE_JOB, ACTIVE_JOB, ATTACH_POSSIBLE, ATTACH_TO_JOB, CREATE_NEW_JOB, DELETE_JOB, DELETE_MASTER_
    漏洞信息

  Oracle是一款商业性质功能强大的数据库。

  Oracle SYS.KUPV$FT_INT包含多个SQL注入问题,远程攻击者可以利用漏洞获得敏感信息。

  SYS.KUPV$FT_INT包在函数UPDATE_JOB, ACTIVE_JOB, ATTACH_POSSIBLE, ATTACH_TO_JOB,

  CREATE_NEW_JOB, DELETE_JOB, DELETE_MASTER_TABLE, DETACH_JOB,

  GET_JOB_INFO, GET_JOB_QUEUES, GET_SOLE_JOBNAME, MASTER_TBL_LOCK,

  VALID_HANDLE中包含16个SQL注入,攻击者可以利用这些问题进行SQL注入,获得敏感信息或可以操作数据库。

  CNCAN ID:CNCAN-2006011818

  漏洞消息时间:2006-01-17

  漏洞起因

  设计错误

  影响系统

  PeopleSoft Enterprise Portal 8.9

  PeopleSoft Enterprise Portal 8.8

  PeopleSoft Enterprise Portal 8.4

  Oracle Workflow 11.5.9 .5

  Oracle Workflow 11.5.1

  Oracle Oracle9i Standard Edition 9.2 .0.7

  Oracle Oracle9i Standard Edition 9.2 .0.6

  Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS

  Oracle Oracle9i Enterprise Edition 9.0.1 .5

  Oracle Oracle9i Enterprise Edition 9.0.1 .4

  Oracle Oracle9i Application Server 1.0.2 .2

  Oracle Oracle8i Standard Edition 8.1.7 .4

  Oracle Oracle8i Standard Edition 8.1.7 .4

  Oracle Oracle8i Standard Edition 8.0.6 .3

  Oracle Oracle8i Standard Edition 8.0.6

  Oracle Oracle8i Enterprise Edition 8.1.7 .4

  Oracle Oracle8 8.1.7 .4

  Oracle Oracle8 8.0.6 .3

  Oracle Oracle8 8.0.6

  Oracle Oracle10g Standard Edition 10.2 .0.1

  Oracle Oracle10g Standard Edition 10.1 .0.5

  Oracle Oracle10g Standard Edition 10.1 .0.4.2

  Oracle Oracle10g Standard Edition 10.1 .0.4

  Oracle Oracle10g Standard Edition 10.1 .0.3

  Oracle Oracle10g Personal Edition 10.1 .0.4

  Oracle Oracle10g Personal Edition 10.1 .0.3

  Oracle Oracle10g Enterprise Edition 10.1 .0.4

  Oracle Oracle10g Enterprise Edition 10.1 .0.3

  Oracle Oracle10g Application Server 10.1.2 .1.0

  Oracle Oracle10g Application Server 10.1.2 .0.2

  Oracle Oracle10g Application Server 10.1.2 .0.1

  Oracle Oracle10g Application Server 10.1.2

  Oracle Oracle10g Application Server 9.0.4 .2

  Oracle Oracle10g Application Server 9.0.4 .1

  Oracle Oracle 9i Application Server Release 1 1.0.2 .2

  Oracle JD Edwards EnterpriseOne 8.95 _F1

  Oracle JD Edwards EnterpriseOne SP23_L1

  Oracle Enterprise Manager Grid Control 10g 10.1 .0.4

  Oracle Enterprise Manager Grid Control 10g 10.1 .0.3

  Oracle E-Business Suite 11i 11.5.9

  Oracle E-Business Suite 11i 11.5.8

  Oracle E-Business Suite 11i 11.5.7

  Oracle E-Business Suite 11i 11.5.6

  Oracle E-Business Suite 11i 11.5.5

  Oracle E-Business Suite 11i 11.5.4

  Oracle E-Business Suite 11i 11.5.3

  Oracle E-Business Suite 11i 11.5.2

  Oracle E-Business Suite 11i 11.5.1

  Oracle E-Business Suite 11i 11.5 .10

  Oracle Developer Suite 10.1.2

  Oracle Developer Suite 9.0.4 .2

  Oracle Developer Suite 9.0.4 .1

  Oracle Developer Suite 9.0.2 .1

  Oracle Collaboration Suite Release 2 9.0.4 .2

  Oracle Collaboration Suite Release 1 10.1.2

  Oracle Collaboration Suite Release 1 10.1.1

  Oracle Collaboration Suite Release 1

  Oracle Application Server Release 2 10.1.2 .0.2

  Oracle Application Server Release 2 10.1.2 .0.1

  Oracle Application Server Release 2 10.1.2 .0.0

  Oracle Application Server 10g 10.1.2

  Oracle Application Server 10g 9.0.4 .2

  Oracle Application Server 10g 9.0.4 .1

  Oracle Application Server 10g 9.0.4

  危害

  远程攻击者可以利用漏洞获得敏感信息。

  攻击所需条件

  攻击者必须访问Oracle。

  厂商解决方案

  可参考如下链接获得ORACLE公告提供的解决方案:

  http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html

  漏洞提供者

  Alexander Kornbrust (ak at red-database-security.com)

  漏洞消息链接

  http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041498.html

  漏洞消息标题

  [Full-disclosure] Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT
------分隔线----------------------------
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
最新评论 查看所有评论
发表评论 查看所有评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
用户名: 密码: 验证码:
推荐内容