We stick to basics thereby reiterating the hidden elements of security from this complex systems. We respect the researchers and hackers who work effortlessly to support community at par. We believe in hunting core to deface the reality of this machine world. The Niche of Security lockdown.
Optimized Derivative of Complex Security
Advisory:
Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2
CVE:
2008-5446
Description:
The oracle E Business including applications like I-Recruitment etc is vulnerable to flaw which leads to sensitive information disclosure about the deployment of oracle application and server in a production environment. The flaw persists in the E Business suite designed code which allows malicious user to steal sensitive information through "About Us Page" (shipped with E Business Suite) by allowing guest access. In addition to this a straight forward access is granted to attacker to steal all the information which provide potential attack surface for conducting stringent attacks.
The severity gets higher because the type of information is revealed. This can be structured over two end points as:
1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.
Proof of Concept: Refer to the whitepaper for detail information
Oracle E-Business Flaw Whitepaper
Detection:
SecNiche confirmed this vulnerability affects the above oracle version listed.
Disclosure Timeline:
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009
Vendor Response:
Oracle acknowledges this vulnerability and fix have been release in critical advisory update of 13 January 2009
Oracle Critical Patch Update: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
Credit:
Oracle Credited Aditya K Sood for discovering this vulnerability
Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2
CVE:
2008-5446
Description:
The oracle E Business including applications like I-Recruitment etc is vulnerable to flaw which leads to sensitive information disclosure about the deployment of oracle application and server in a production environment. The flaw persists in the E Business suite designed code which allows malicious user to steal sensitive information through "About Us Page" (shipped with E Business Suite) by allowing guest access. In addition to this a straight forward access is granted to attacker to steal all the information which provide potential attack surface for conducting stringent attacks.
The severity gets higher because the type of information is revealed. This can be structured over two end points as:
1. If an application is hosted on internet with external interface.
2. If an application is hosted in organization production environment.
Proof of Concept: Refer to the whitepaper for detail information
Oracle E-Business Flaw Whitepaper
Detection:
SecNiche confirmed this vulnerability affects the above oracle version listed.
Disclosure Timeline:
Disclosed: 25 Sept 2008
Reply : 26 Sept 2008
Oracle Fix and Release Date. 13 January 2009
Vendor Response:
Oracle acknowledges this vulnerability and fix have been release in critical advisory update of 13 January 2009
Oracle Critical Patch Update: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
Credit:
Oracle Credited Aditya K Sood for discovering this vulnerability
Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.