---------------------------------------------------
Advisory:
Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability.

Version Affected:
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2.

Disclosure Timeline:
[ Disclosed: 25 Sept 2008 ]
Oracle Fix and Release Date. 13 January 2009

Description:
The oracle E Business including applications like I-Recruitment etc is vulnerable to flaw which leads to sensitive information disclosure about the deployment of oracle application and server in a production environment. The flaw persists in the E Business suite designed code which allows malicious user to steal sensitive information through "About Us Page" (shipped with E Business Suite) by allowing guest access. In addition to this a straight forward access is granted to attacker to steal all the information which provide potential attack surface for conducting stringent attacks. The severity gets higher because the type of information is revealed. This can be structured over two end points as: 1. If an application is hosted on internet with external interface. 2. If an application is hosted in organization production environment.

Proof of Concept:
Download: Oracle E-Business Flaw Whitepaper.

Credit:
Aditya K Sood [ Founder, Secniche Security ; Team Lead, EvilFingers Community ]

Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.

---------------------------------------------------