TippingPoint Zero Day Initiative

Oracle E-Business Suite Arbitrary Document Download Vulnerability

ZDI-07-017: April 18th, 2007

CVE ID

CVE-2007-2135

Affected Vendors

Oracle / PeopleSoft

Affected Products

Database Server

Vulnerability Details

This vulnerability allows remote attackers to download any existing document in the APPS.FND_DOCUMENTS table on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the ADI_BINARY component of the E-Business Suite. The component exposes a parameter that can also be passed to ADI_DISPLAY_REPORT to allow an attacker to view any document in the APPS.FND_DOCUMENTS table. An attacker can cycle through all document IDs to display each document that exists.

Vendor Response

Oracle / PeopleSoft has issued an update to correct this vulnerability. More details can be found at:

Oracle Critical Patch Update - April 2007

Disclosure Timeline

2007-01-29 - Vulnerability reported to vendor
2007-04-18 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Joxean Koret

Published Advisories

ZDI-08-047: RealNetworks

• published 2008-07-25

ZDI-08-046: RealNetworks

• published 2008-07-25

ZDI-08-045: Apple

• published 2008-07-25

ZDI-08-044: Mozilla Firefox

• published 2008-07-17

ZDI-08-043: Sun Microsystems

• published 2008-07-17

Upcoming Advisories

Microsoft

• reported 2008-07-08, 23 days ago

EMC

• reported 2008-07-07, 24 days ago

EMC

• reported 2008-07-07, 24 days ago

Adobe

• reported 2008-07-03, 28 days ago

Symantec

• reported 2008-06-26, 35 days ago

Recent Press

Apple releases new Mac OS X 10.5.5

• published 2008-07-31, ITWire

High-priority patch fixes critical vulns in RealPlayer

• published 2008-07-25, The Register

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

• published 2008-07-17, SlashDot

iPhone and iPod Touch updated with security patches

• published 2008-07-11, CNET

Apple TV gets a security update

• published 2008-07-10, CNET