In a security advisory, Alexander Kornbrust has reported on a common programming error in Oracle Reports that allows arbitrary database queries to be injected (SQL injections).
Reports that use what are called "lexical references" are affected. If the expression ¶mform=yes is added to the URL of such reports, a new browser window opens up where the SQL query can be changed easily. In the advisory, a number of examples of improper implementations are provided along with proposed solutions to work around this problem.
Kornbrust believes that such reports with lexical references are very popular because they are so powerful.
- Security Advisory of Red Database Security