Oracle E-Business Suite Business Intelligence SQL Injection Vulnerability

2008-12-16T00:00:00
ID ZDI-08-088
Type zdi
Reporter Joxean Koret
Modified 2008-11-09T00:00:00

Description

This vulnerability allows remote attackers to inject arbitrary SQL on vulnerable installations of Oracle E-Business Suite Business Intelligence. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the APPS.ICXSUPWF.DisplayContacts package. The procedure fails to validate the contents of a WHERE clause containing user supplied input. This allows an attacker to execute arbitrary SQL statements in the context of the APPS user.