Oracle’s ReTek provides retailers with an integrated suite of business applications used by global retailers. A SQL injection vulnerability exists within the invoiceAdvSearchDone.do page—the vulnerability can be exploited through a relatively simple POST Request. Depending on the user’s permission, further exploitation may be possible. As a default installation, the database connection uses a non-dba user account, the level of access that permits the enumeration of databases and tables, users, passwords, roles and privileges. http://alrt.co/17jGlgH
Takeaway: Though updates for the vulnerability are available from Oracle, such updates of major ERP systems for retailers take months, if not years for planning and implementation. A relatively simpler solution would be to install a Web Application Firewall (WAF) in front of the application to identify and stop such attacks. A WAF with a learning engine will quickly identify the bad from the good web traffic and prevent loss of data.