Source: http://blog.red-database-security.com/2009/01/29/sql-injection-notes-in-oracle-metalink/
[.....]
Second finding in Metalink was an exploit in the CMS from Stellent (aka Oracle Universal Content Management), aquired by Oracle in 2007. Publishing exploits with customer URLs is a bad style…
———–
Note 733017.1 from October 2008 says:
Version 6.2 of the Content Server has an SQL injection vulnerability.Oracle was so nice to publish the exploit pointing to a customer site.
Scurity consultant report states:
Severity: 5
Port: 80
Name: SQL injection
Description: “An SQL injection vulnerability was identified in the following page:http://customer.site/****&dID=1%20and%20convert
(varchar.(select%20@@version))=1
The back-end version return was ‘Microsoft SQL Server 2000 -8′</blockquote>”
– Business Impact:
Potential security threatCause
This is a known bug/issue with 7.5 and prior. (internal bug p51038621)———————————–
Good to know that SQL Injection is just a potential security threat…
UPDATE:
Oracle removed note 733017.1 from Metalink.
