mailing list archives
TeamSHATTER Security Advisory: Oracle Database Vault Administrator web console Session ID disclosure
From: Shatter <shatter () appsecinc com>
Date: Fri, 21 Jan 2011 15:35:21 -0500
-----BEGIN PGP SIGNED MESSAGE-----
TeamSHATTER Security Advisory
January 20, 2011
Oracle Database Server version 10gR2, 11gR1 and 11gR2
This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc.
It is possible to know the Session ID getting the directory contents from
In this directory there are some .gif files that have a valid web session id in their names.
This directory has read permissions for everyone by default.
For example, file h1cbd8d13de4ee4b81582d4fb826721da377b75e605866045fb1b415fc0ab428d61271722801217.gif
corresponds to session ID: cbd8d13de4ee4b81582d4fb826721da377b75e605866045fb1b415fc0ab428d6
These .gif files seem to be auto-generated when the 'Monitor' web page is accessed by an administrator from the Oracle
Database Vault Administrator web console.
After getting a valid Session ID an attacker can impersonate the web application user and make web requests on his
It is possible for a local user to know the Session ID of an administrator that is using the Oracle Database Vault
Administrator web console and perform operations on the administrator's behalf.
Vendor was contacted and a patch was released.
There is no workaround for this vulnerability. To narrow the time window when this vulnerability can be exploited you
should Log off from Oracle Database Vault Administrator web console as soon as you finished using it and do not keep
the session open until it expires.
Apply Oracle Critical Patch Update January 2011 available at Oracle Metalink.
Vendor Notification - 6/30/2010
Vendor Response - 6/30/2010
Fix - 1/18/2011
Public Disclosure - 1/20/2011
Application Security, Inc's database security solutions have helped over 2000 organizations secure their databases from
all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently
available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- TeamSHATTER Security Advisory: Oracle Database Vault Administrator web console Session ID disclosure Shatter (Jan 21)