Reported April 11, 2003, by Stephen Kost.





Oracle E-Business Suite 11i, releases 10.7, 11.0, and 11.5.1 through 11.5.8




A vulnerability in the communications protocol that Oracle Applications FND File Server (FNDFS) uses can permit an attacker to bypass any OS, database, and application authentication to retrieve files from Oracle Applications Concurrent Manager servers. If the attacker has direct access to the Concurrent Manager server through SQL*Net, he or she can retrieve sensitive data or files (e.g., any file accessible by the oracle or applmgr accounts) that contain critical passwords.




Oracle has released a security bulletin regarding this vulnerability and recommends that affected users download and apply the appropriate update.




Discovered by Stephen Kost of Integrigy Corporation.