Oracle XSQL query.xsql sql Parameter SQL Injection

medium Nessus Plugin ID 10613

Synopsis

The remote host is vulnerable to information disclosure.

Description

One of the sample applications that comes with the Oracle XSQL Servlet allows an attacker to make arbitrary queries to the Oracle database (under an unprivileged account). Whilst not allowing an attacker to delete or modify database contents, this flaw can be used to enumerate database users and view table names.

Solution

Sample applications should always be removed from production servers.

Plugin Details

Severity: Medium

ID: 10613

File Name: oracle_xsql_query.nasl

Version: 1.25

Type: remote

Family: Databases

Published: 2/15/2001

Updated: 6/12/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 2/6/2002

Reference Information

CVE: CVE-2002-1631

BID: 6556

CERT: 717827