Oracle Forms And Reports Database Vulnerability Network Vulnerability

Summary

Oracle Forms and Reports Database Vulnerability

Impact

Unauthenticated remote attackers can dump usernames and passwords of the database.

Solution

Apply the patch from Oracle or upgrade to version 12 or higher.

Insight

An undocumented function of the PARSEQUERY function allows to take keymaps that are located in /reports/rwservlet/ and add them to the query which will allow to dump the database passwords.

Affected

Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0

Detection

Tries to dump at least one username and password of the database.

References

http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
http://www.securityfocus.com/bid/55955

Updated on 2017-03-28

Severity

Classification

CVE CVE-2012-3153

CVSS	Base Score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N

Related Vulnerabilities

Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
Apache CouchDB Cross Site Request Forgery Vulnerability

Take action and discover your vulnerabilities