Oracle 9iAS PORTAL_DEMO ORG_CHART Network Vulnerability

Summary

In your installation of Oracle 9iAS, it is possible to access a demo (PORTAL_DEMO.ORG_CHART) via mod_plsql. Access to these pages should be restricted, because it may be possible to abuse this demo for SQL Injection attacks.

Solution

Remove the Execute for Public grant from the PL/SQL package in schema PORTAL_DEMO (REVOKE execute ON portal_demo.org_chart FROM public ). Please check also Oracle Security Alert 61 for patch-information. Reference : http://otn.oracle.com/deploy/security/pdf/2003alert61_2.pdf

Severity

Classification

CVE CVE-2003-1193

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Axis2 Document Type Declaration Processing Security Vulnerability
b2ePMS Multiple SQL Injection Vulnerabilities
AdPeeps 'index.php' Multiple Vulnerabilities.
Andy's PHP Knowledgebase 's' Parameter SQL Injection Vulnerability
Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities

Take action and discover your vulnerabilities