SecurityHome.eu Security vulnerability: dbmsaqadmsys-sql.txt

Home / vulnerabilities PDF

dbmsaqadmsys-sql.txt
Posted on 16 April 2009
Source : packetstormsecurity.org Link

SQL Injection in package DBMS_AQADM_SYS

Name SQL Injection in package DBMS_AQADM_SYS [CVE-2009-0977]
Systems Affected Oracle 9.2.0.8 - 10.2.0.3
Severity Medium Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Author Franz Hüll (fh at red-database-security.com)
CVE CVE-2009-0977
Advisory 14 April 2009 (V 1.00)

Details
The package DBMS_AQADM_SYS contains a SQL injection vulnerability.

PROCEDURE GRANT_TYPE_ACCESS( USER_NAME IN VARCHAR2) IS

GRANT_TXT VARCHAR2(100);
GRANT_OPT VARCHAR2(20) := ' with grant option';
BEGIN

EXECUTE_STMT( 'grant execute on sys.aq$_agent to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_subscribers to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_recipients to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_history to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);

[...]

Patch Information
Apply the patches for Oracle CPU April 2009.

History
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0977]
14-apr-2009 Advisory published

TOP

Malware :

Last 20

Exploits :

Last 20