Oracle users may potentially be at risk from a half dozen
vulnerabilities, even if they applied the company’s latest patch released
German security research Alexander Kornbrust of Red-Database-Security has
issued six security advisories affecting Oracle Forms and Oracle Reports.
On the highly critical side, the vulnerabilities could allow a system to be
compromised, provide for privilege escalation attacks or allow an attacker to
overwrite arbitrary files. At the low end, the flaws could be used for cross
site scripting attacks or information disclosure.
Kornbrust claims that he informed Oracle of the flaws as early as 2003.
The security researcher alleges in his advisory timeline that Oracle was
again notified in April and that if that flaws were not fixed in
Oracle’s July Critical Patch update, the flaws would go public.
On July 12, Oracle issued its quarterly Critical Patch Update, which included some 49 different matches for various flaws in various versions of its Enterprise Manager, Database server, Collaboration Suite, E-Business applications and Application Server products.
Oracle has not yet publicly addressed or confirmed Kornbrust’s claims on
its security Web site.
An Oracle spokesperson told internetnews.com that security
is a matter Oracle takes seriously and Oracle’s first priority is meeting
customer needs and reducing their risk.
“When software flaws are discovered, Oracle responds as quickly as
possible to help protect information secured by customers in Oracle-based
information systems,” the spokesperson said. “Oracle’s policy is to fix
security vulnerabilities in severity order –- higher severity vulnerabilities
are fixed as a priority over lower severity vulnerabilities.”
Oracle encourages customers and researchers to contact them as soon as
they discover security vulnerabilities, the spokesperson explained.
“We believe the most effective way to protect customers is to avoid
disclosing or publicizing vulnerabilities before a patch or workaround has
been developed,” the spokesperson said. “We are disappointed when any
details of Oracle product security vulnerabilities are released to the
public before patches can be made available.”
Of the six advisories issued by Red-Database-Security, three are rated
“High Risk.” “Run any OS Command via unauthorized Oracle Forms” is one of
the flaws reported by Red-Database-Security rated as being “high risk,” a
similar flaw exists in Oracle Reports.
“Oracle Reports starts reports executables (*.rep or *.rdf) from any
directory and any user on the application server. These reports are executed
as user Oracle or System (Windows),” the Red-Database Security advisory
states. “An attacker which is able to upload a specially crafted reports
executable to the application server is able to run any OS command or read
and write text files on the application server.
“By using the report parameter with an absolute path it is possible to
execute reports executables from ANY directory and ANY user,” the advisory
“Overwrite any file via desname in Oracle Reports” is also rated as a
highly critical vulnerability.
“By specifying a special value for the parameter desname, Oracle Reports
can overwrite any file on the application server,” the advisory states.
According to the security researcher, the attack is so simple that it can be
executed with a simple URL.
The desformat parameter in Oracle Reports also allegedly can lead to an
information disclosure vulnerability.
“The Oracle Reports parameter desformat can read any file by using an
absolute or relative file name,” the advisory states. “Parts of the file
content are displayed in the Reports error message. A different vulnerability in Oracle reports could allow an unauthorized user to read parts of any XML-file via a customized parameter.”
The German security researcher also alleges that Oracle Reports is also
at risk from various cross-site scripting vulnerabilities, which are rated