Date: ===== 2012-04-12 References: =========== http://www.vulnerability-lab.com/get_content.php?id=478 VL-ID: ===== 478 Introduction: ============= Oracle Corporation (NASDAQ: ORCL) is an American multinational computer technology corporation that specializes in developing and marketing computer hardware systems and enterprise software products � particularly database management systems. Headquartered at 500 Oracle Parkway, Redwood Shores, Redwood City, California, United States and employing approximately 111,298 people worldwide as of 30 November 2011, it has enlarged its share of the software market through organic growth and through a number of high-profile acquisitions. By 2007 Oracle had the third-largest software revenue, after Microsoft and IBM. The company also builds tools for database development and systems of middle-tier software, enterprise resource planning software (ERP), customer relationship management software (CRM) and supply chain management (SCM) software. Larry Ellison, a co-founder of Oracle Corporation, has served as Oracle s CEO throughout its history. He also served as the Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008 the Associated Press ranked Ellison as the top-paid chief executive in the world. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation ) Abstract: ========= A Vulnerability Laboratory Researcher discovered multiple blind SQL Injection Vulnerabilities on Oracles official service application. Report-Timeline: ================ 2012-03-28: Vendor Notification 2012-03-29: Vendor Response/Feedback 2012-04-11: Vendor Fix/Patch 2012-04-12: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== Multiple remote SQL Injection vulnerabilities are detected on on Oracles official service application(Web-Servers). The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms, service & application compromise. The vulnerabilities are located on the shop, campus, education & academy service of oracle. Vulnerable Module(s): [+] emea1-events-remove3 [+] cn-profile-oardc.jsp?flag= [+] us-jobdesc.jsp [+] cn-profile-add-oardc.jsp Affected Service(s): [+] https://campus.oracle.com [+] http://education.oracle.com [+] https://academy.oracle.com [+] https://shop.oracle.com
评论关闭。