Oracle Posts Exploit Code for Database Flaw

http://www.computerworld.com/databasetopics/data/software/story/0,10801,110521,00.html wrote:

APRIL 17, 2006 (COMPUTERWORLD) - Oracle Corp. appears to have accidentally released details about an unpatched security vulnerability in its database software, including sample code for exploiting the flaw.
The information about the vulnerability was included in a note that was briefly posted on Oracle 's MetaLink customer support portal on April 6.

Oracle removed the information the next day after being informed of the security risks, said Alexander Kornbrust, a business director at Red-Database-Security GmbH in Neunkirchen, Germany.

Kornbrust distributed an advisory about the vulnerability to the Full Disclosure security mailing list last Monday. The security researcher said he decided to go public with the information about the vulnerability because enough people had already seen Oracle's Metalink note to pose a risk for users of the database.

An Oracle spokeswoman declined to comment about how the exploit code was released. She said the company plans to provide a software fix for the database hole "in a future quarterly patch update," although it won't be in the next set of security patches that Oracle plans to release tomorrow.

To exploit the vulnerability, an attacker would first need to have a user account on an Oracle database. By creating specially crafted queries, users who normally would only be able to read data could change the underlying information in a database. Received on Tue Apr 18 2006 - 02:30:18 CDT