Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "A small correction to a post about DBMS_SYSTEM.KSDDDT"] [Next entry: "Alex's SQL Injection advisory is available in German"]
Today Alex has released a new paper on his site titled "SQL Injection in Oracle reports". Alex has found that self developed reports are vulnerable to SQL Injection if they are using "lexical references" without input validation. Most Oracle reports developers are not aware of this issue and by definition are not validating input (e.g from parameters). This is not a bug in the reports product itself but an issue with the developers. Alex states that the Oracle documentation does not alert developers to this issue.
Alex goes on to state that all Reports products since version 2.0 using "lexical references" are vulnerable. These could be self developed or for instance part of an Oracle application such as E-Business Suite.
Alex states that it is not possible to fix this issue by setting a parameters but only possible by fixing every report by adding input validation for all parameters. Oracle has not released a fix for this issue.
This is clearly a very big issue and a serious issue as potentially there are a large amount of vulnerable reports out there.
Alex then describes the problem in detail and includes an example vulnerable report that demonstrates how database usernames can be read using SQL Injection techniques. Alex then repeats that the issue is a big problem if you have a lot of reports using "lexical references" and gives a history of when he reported the bug to Oracle.