Oracle Applications vulnerable to Web attack

A hole in Oracle Applications 11i lets attackers commandeer the database by injecting SQL code into Web-based forms

Oracle Corporation has announced a security flaw in Oracle Applications 11i that allows an attacker to carry out database functions through a company's Web site.

The flaw, which is categorised at the highest severity level, can be exploited with little specialised knowledge and has no work-around, according to the security alert sent out by Oracle. Oracle says the patch should be applied immediately.

The flaw, discovered by security firm Integrigy Corporation, is known as an SQL Injection vulnerability. It allows an attacker to manipulate the database by putting SQL code into Web page input fields. Customers with Internet-facing application servers are most vulnerable because they can be attacked remotely by anyone who has a browser.

Oracle Applications, also called Oracle E-business suite, is a set of applications and modules that enables an organisation to carry out various business functions, including financial management, human resources, and inventory management using a single database model.

Oracle Applications 11.5.1 to 11.5.8 are affected, as are all releases of Oracle Applications 11.0. Releases 11.5.9 and later are not affected. Oracle has provided a patch for the security alert.

Oracle UK declined to comment on this security flaw and was unable to provide figures for the current number of users of Oracle Applications in the UK.