FND_GFM Vulnerability
A coding error in the FND_GFM database package permits anyone access to execute any SQL statements or database packages under the APPS account.
Integrigy Security Advisory
______________________________________________________________________
FND_GFM Vulnerability
April 18, 2002
______________________________________________________________________
Summary:
A coding error in the FND_GFM database package permits anyone access to execute any SQL statements or database packages under the APPS account.
Product: Oracle E-Business Suite
Versions: 11.5.1 - 11.5.6
Platforms: All platforms
Risk Level: High
______________________________________________________________________
Description:
The database package FND_GFM does not properly check input parameters, therefore, anyone using a properly formatted URL can execute any SQL statement or database package under the APPS account.
If database package body fnd_gfm must be version 115.39 or lower, your system is vulnerable to this problem.
You can verify the database package version with the following SQL statement --
select * from dba_source
where owner = 'APPS'
and name = 'FND_GFM'
and type = 'PACKAGE BODY'
and text like '%Header%'
Solution:
Immediately apply patch # 2326606 as recommended by Oracle.
Additional Information:
Oracle Security Alert #32 -
http://technet.oracle.com/deploy/security/pdf/apps_alert_ebiz2.pdf
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.