[ERPSCAN-08-004] Oracle Database 10g — Code Execution and SQL injection
Application: Oracle Database
Versions Affected: Oracle Database 10g R1
Vendor URL: http://oracle.com/
Bugs: SQL Injection,Buffer Owerflov
Vendor response: 20.12.2007
Date of Public Advisory: 16.01.2008
Author: Alexandr Polyakov
Buffer overflow in xDb.XDB_PITRIG_PKG.PITRIG_DROP and xDb.XDB_PITRIG_PKG.TRUNCATE procedures in Oracle 10G R1 allows remote authenticated users to execute arbitrary code via long arguments such as “Name” and “Owner”.
SQL Injections in xDb.XDB_PITRIG_PKG.PITRIG_DROP and xDb.XDB_PITRIG_PKG.TRUNCATE procedures. Vulnerable parametres such as “Name” and “Owner”.
Vulnerability allows remote authenticated users to execute SQL code with privileges of XDB user.
Legal database user can escalate privileges and gain unauthorized access to business-critical data.