14 DAY TRIAL // Vulnerability Lab researcher Shadab Siddiqui found multiple Blind SQL Injection flaws in four websites owned by Oracle. Steve Meert, part of Oracle’s security team, worked closely with Benjamin Kunz Mejri to address the issues.
The security holes were identified by Siddiqui at the end of March. One day after they were reported to Oracle, the company started working on a fix which was applied on April 11, 2012.
The flaws, catalogued as critical, may have been remotely exploited by an attacker, permitting him to inject and execute his own malicious SQL commands.
The worst thing about these particular vulnerabilities was that they could have allowed the attacker to compromise the site’s database management system without any user interaction.
The list of vulnerable websites includes campus.oracle.com, education.oracle.com, academy.oracle.com, and shop.oracle.com.
Security enthusiasts can check out a detailed proof-of-concept and the screenshots that demonstrate the existence of the flaws below.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1
