Oracle Application Server Portal components SQL injection

oracle-portal-sql-injection (13593) The risk level is classified as MediumMedium Risk


Oracle9i Application Server Portal is vulnerable to SQL injection, caused by a vulnerability in the List of Values (LOVs), Portal DB Provider Forms, Portal DB Provider Hierarchy, and Portal DB Provider XML components. A remote unauthenticated attacker, with HTTP access, could send a specially-crafted URL request containing arbitrary SQL code to gain unauthorized access to user information, which would allow the attacker to add, modify or delete user information in the Oracle9i Application Server Data Dictionary tables.


Gain Access


Apply the appropriate patch for your system, as listed in Oracle Security Alert #61. See References.


  • CIAC Information Bulletin O-017: Oracle SQL Injection Vulnerability in Oracle9i Application Server.
  • NGSSoftware Insight Security Research Advisory #NISR05112003: Multiple SQL Injection Vulnerabilities in Oracle Application Server 9i and RDBMS.
  • Oracle Security Alert #61: SQL Injection Vulnerability in Oracle9i Application Server.
  • BID-8966: Oracle9iAS Portal Component SQL Injection Vulnerability
  • CVE-2003-1193: Multiple SQL injection vulnerabilities in the Portal DB (1) List of Values (LOVs), (2) Forms, (3) Hierarchy, and (4) XML components packages in Oracle Oracle9i Application Server through allow remote attackers to execute arbitrary SQL commands via the URL.
  • OSVDB ID: 2763: Oracle Application Server Multiple Portal Component Unspecified SQL Injection

Platforms Affected:

  • Oracle Application Server Portal
  • Oracle Application Server Portal
  • Oracle Application Server Portal
  • Oracle Application Server Portal


Nov 03, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page