NASLDB: Oracle WebCenter Content 'GET_SEARCH_RESULTS' SQL Injection
General
ID: 57980
Name: Oracle WebCenter Content ‘GET_SEARCH_RESULTS’ SQL Injection
Summary: Checks
Credits: Tenable Network Security, Inc.
Classification
Risk: –
CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Temporal Vector: CVSS2#E:U/RL:OF/RC:C
Port: 80
Family: CGI abuses
Type: Remote
Description
The Oracle WebCenter Content install on the remote host does not
properly sanitize the ‘SortField’, ‘SortOrder’, and ‘QueryText’
parameters of the ‘GET_SEARCH_RESULTS’ IDC service. An attacker can
exploit this flaw to launch SQL injection attacks which could lead to
authentication bypass, disclosure of sensitive information, and
attacks against the underlying database.
Exploiting
Exploit Available: False
Exploitability Ease: No known exploits are available
Sources
CVE: CVE-2012-0083
OSVDB: –
Bugtraq: –
scipID: –
Timeline
Vulnerability Disclosure: 2012/01/18
Patch Release: 2012/01/18
Plugin Release: 2012/02/16
Plugin
Version: 1.2
Filename: oracle_webcenter_content_idcplg_sql_injection.nasl
Filesize: 3752 bytes
MD5 Hash: 2ba399da494bb793981f70e20bbf9488
Identification: –
Require Keys: www/OracleWebCenterContent
Dependencies: "oracle_webcenter_content_detect.nasl"
Copyright: This script is Copyright© 2012 Tenable Network Security, Inc.
- Letzte Plugins
- USN-1611-1 : thunderbird vulnerabilities
- USN-1610-1 : linux vulnerability
- USN-1609-1 : linux-ti-omap4 vulnerability
- SuSE 10 Security Update : PostgreSQL
- RHSA-2012-1364: bind97
- RHSA-2012-1363: bind
- RHSA-2012-1362: thunderbird
- RHSA-2012-1361: xulrunner
- Mandriva Linux Security Advisory : graphicsmagick
- FreeBSD : phpMyAdmin — Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack