Dana Taylor, a researcher and information security specialist with the University of Pennsylvania, has publically disclosed the details of three security vulnerabilities in Oracle Corp.'s Forms and Reports software components, and criticized the Redwood City, Calif.-based company for its lackluster response to her private disclosures.
Though the severity of the vulnerabilities is disputed, they could enable an attacker to gain access to a variety of sensitive files, and if combined with other vulnerabilities, could reportedly put an entire network at risk.
Forms and Reports are both components of Oracle Fusion Middleware, the database giant's package of software add-ons for building and integrating custom functionality with its core database software. The flaws are specific to 11.1 versions of Fusion Middleware. As of September 2013, Oracle reported 115,000 Fusion Middleware customers, though it's unclear how many use Forms or Reports.
In a new blog post detailing her actions, first reported by CSO, Taylor wrote that she originally contacted Oracle about the first vulnerability, which reportedly allows an unauthenticated Web browser to dump database passwords, in April of 2011. She said Oracle responded that the vulnerability was in fact a "configuration error."
Full Article
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.