Oracle Database Server UTL_FILE Error Discloses Files to Remote Authenticated Users

March 8, 2005

[From SecurityTracker.com]

Version(s): 8i, 9i

Description: An input validation vulnerability was reported in Oracle Database Server in the UTL_FILE package. A remote authenticated user can access arbitrary files on the target system.

The software does not properly validate user-supplied input in some Directory Object functions. A remote authenticated user can exploit a flaw in UTL_FILE by supplying directory traversal characters to some Directory Object functions to gain read or write access to files on the target system that are located outside of the intended directory.

The article continues at http://www.securitytracker.com/alerts/2005/Mar/1013392.html