Oracle E-Business Suite Arbitrary Node Deletion VulnerabilityZDI-07-016: April 17th, 2007
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4919. For further product information on the TippingPoint IPS:
This vulnerability allows remote attackers to delete any existing Document Management node on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the APPLSYS.FND_DM_NODES package. The procedure to delete nodes does not check for a valid session thereby allowing an attacker to arbitrarily delete any node registered, including the root node.
Vendor ResponseOracle / PeopleSoft has issued an update to correct this vulnerability. More details can be found at:
2007-01-29 - Vulnerability reported to vendor
2007-04-17 - Coordinated public release of advisory
CreditThis vulnerability was discovered by: