Sunday, December 17, 2006

CERT is picking up speed.

As you have been able to read in this blog I have found 2 separate security bugs in Oracle Software. One security bug is about Oracle iStore where users are able to view the order information of other customers. This is enabling a user to view what all other customer have purchased, to which address it is shipped and to which address the bill is send. Also the cost information and what kind of payment type there was used, credit card for example. The security bug is simply to exploit on every webshop that is making use of Oracle iStore and did not enable URL encryption.

The solution is somewhat vague in mentioned in the Oracle iStore implementation guide. It can be found under the section of cookie encryption. By enabling the encryption in the CRM module the URL’s will also be partly encrypted and prevent users from URL manipulation. However this is still not a complete solution but rather a workaround in my opinion. On my website you can find some hints about how you can make a more stable fix.

The second security bug is about a password decryption vulnerability in Oracle E-Business Suite. By manipulating a PL/SQL package someone can decrypt all stored user passwords. By using a java function you can even bypass this manipulation of the PL/SQL package and do it on a separate computer. This is compromising the integrety of the E-Business Suite and makes it possible for users to pretend that they are a other user. For example upgrading there salary scale as if they where someone of the Human Resource department or give huge discounts on products for particular customers. That is besides the potential danger of people leaking information. I have described the bug in somewhat more detail in this posting.

Because of the potential danger of both the bugs I have send out separate mails to CERT and the Dutch CERT to inform them about the bugs. From both I have received mails back. The Dutch reported that they have noted the bug and that they would inform Oracle, after this only silence was heard. The American CERT organization however send me a mail that they received the security thread mail and gave me 2 separate tracking numbers to which I could refer when I communicated with them about this. Not only that but at this moment I keep receiving mails from CERT about the bugs, and I some questions from Oracle about some technical details of the bug and how to solve this in the best way. So CERT is playing the middle man in the solving of this thread. I still have to wait and see what will come out of this and if Oracle will release a patch but I surely hope so, especially for the iStore bug because at this moment there are several web stores active that are vulnerable to this exploit.

Also I noted that the number of visitors to my website terminalcult.org and to this weblog is grown enormous. And from this a large number of the visitors are coming from the Oracle Company. Shame is still that I did not have had direct contact with Oracle but that CERT is still playing the middle man. I understand this and it might be a good solution however it might speed up things if there was some more direct contact. We will wait and see how things will play out in the upcoming days.


No comments: