• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability

Oracle database is prone to an SQL-injection vulnerability because the software fails to properly sanitize user-supplied data. The 'SUBSCRIPTION_NAME' parameter is vulnerable.

Packages that employ this parameter execute with 'SYS' user privileges. Exploiting the SQL-injection vulnerability can allow an attacker to gain 'SYS' privileges.

The attacker can exploit this issue using malformed PL/SQL statements to pass unauthorized SQL statements to the database. A successful exploit could allow the attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

This issue was originally disclosed in the 'Oracle Critical Patch Update - April 2005' advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory. There is insufficient information at this time to associate this vulnerability with an identifier from the Oracle advisory.