Reported
April 11, 2003, by Stephen Kost.
VERSIONS AFFECTED
Oracle E-Business Suite 11i, releases 10.7, 11.0, and
11.5.1 through 11.5.8
DESCRIPTION
A vulnerability in the communications protocol that Oracle
Applications FND File Server (FNDFS) uses can permit an attacker to bypass any
OS, database, and application authentication to retrieve files from Oracle
Applications Concurrent Manager servers. If the attacker has direct access to
the Concurrent Manager server through SQL*Net, he or she can retrieve sensitive
data or files (e.g., any file accessible by the oracle or applmgr accounts) that
contain critical passwords.
VENDOR RESPONSE
Oracle has released a security
bulletin regarding this vulnerability and recommends that affected users
download and apply the appropriate update.
CREDIT
Discovered by Stephen Kost of Integrigy
Corporation.
Authentication Bypass Vulnerability in Oracle E-Business Suite
0 comments
Hide comments