New information has been released for an Oracle E-Business Suite 11i security vulnerability fixed as part of the April 2007 Critical Patch Update. The vulnerability was discovered by Joxean Koret and the TippingPoint Zero Day Initiative released the advisory. For those of you not familiar with the Zero Day Initiative, it is a security vendor sponsored program that pays for security vulnerability information.
Unfortunately, the Zero Day Initiative advisory ZDI-08-088 contains minimal information regarding the vulnerability and several inaccuracies. Oracle fixed this vulnerability as part of the April 2007 Critical Patch Update and subsequently in ATG_PF.H RUP5 and later. The vulnerability is a serious SQL injection bug in a Self-Service Web Application database package that is called and accessible through mod_plsql. Mod_plsql is an Apache module and part of an Oracle web framework which allows database packages to dynamically generate web pages. The vulnerable schema.package.procedure name is APPS.ICXSUPWF.DISPLAYCONTACTS and all versions 115.6 and prior are vulnerable. When creating intrusion detection/prevention rules for this vulnerability, the URL will only include the package/procedure name ICXSUPWF.DISPLAYCONTACTS and mod_plsql URLs are case-insensitive. This URL is normally blocked by the Oracle E-Business Suite 11i URL Firewall and should not be externally accessible.
Vulnerability "anthropologists" may be interested in the fact that this vulnerability has existed since at least September 1999 and likely was introduced several years earlier with the release of Oracle Applications 11.0.
Original Oracle Advisory:
Oracle Critical Patch Update April 2007 – APPS01
Affected Product and Versions:
Oracle E-Business Suite 11.5.1 through 22.214.171.124
Affected Oracle E-Business Suite Modules:
Application Object Library (FND)/Self-Service Web Applications (ICX)
11.5.1 - 11.5.6 – No patches are available for unsupported versions of the Oracle E-Business Suite
11.5.7 – 126.96.36.199 with ATG_PF.H RUP4 or prior – 5893391
11.5.9 – 188.8.131.52 with ATG_PF.H RUP5 or higher – No patch required as this fix was included in RUP5 and higher