Full title: Oracle Reports Developer Version Release 9i to 10gr2 Database Disclosure 
Category: web applications
Platform: multiple
An undocumented PARSEQUERY function in Oracle Forms and Reports allows dumping database username and passwords unauthenticated. The patch / workaround just appears to obfuscate the issue but not actually address it. Affected systems include versions 9iAS, 9iDS, 10G (DS and AS), and 10G AS Reports/Forms Standalone Installation, 11g if patch or workaround not applied. In 12g a code rewrite has mitigated this vulnerability.

# 0day.today @ http://0day.today/