Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 33, Issue 1
From: Joxean Koret <joxeankoret () yahoo es>
Date: Thu, 01 Nov 2007 15:36:32 +0100
Hi, You're wrong. First of all, yes, is a preauth sql injection in an "admin console" but, if you have privileges to connect to the Oracle Financials instance, even as a normal unprivileged user, you have sufficient privileges to access it. You don't need to have assigned the SYSADMIN responsability. And second, there are many ways to bypass authentication in Oracle E-Business Suite, at least in version 11i, I'm not sure if the same problems applies to R12. I can't release more details right now. Thanks, Joxean Koret On jue, 2007-11-01 at 12:00 +0000, full-disclosure-request () lists grok org uk wrote:
Message: 8 Date: Wed, 31 Oct 2007 22:55:36 -0500 From: reepex <reepex () gmail com> Subject: Re: [Full-disclosure] ZDI-07-058: Oracle E-Business Suite SQL Injection Vulnerability To: "zdi-disclosures () 3com com" <zdi-disclosures () 3com com>, full-disclosure () lists grok org uk Message-ID: <e9d9d4020710312055q417f681dw70d706ae81d03ef5 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 post auth sql injection in random admin console - lulz On 10/31/07, zdi-disclosures () 3com com <zdi-disclosures () 3com com> wrote:The specific flaw exists in the okxLOV.jsp page in theAdministrationconsole.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 33, Issue 1 Joxean Koret (Nov 01)
- Re: Full-Disclosure Digest, Vol 33, Issue 1 reepex (Nov 01)