Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server

2009.01.22

Credit: Eduardo Vela

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on
Java's side: "%c0%ae" is interpreted as: "uC0AE" that get's casted to
an ASCII-LOW char, that is: ".".
You can read dangerous configuration information including passwords,
users, paths, etc..
Discovered: 8/16/08
Vendor contacted: 8/16/08
Vendor response: 8/18/08
Vendor reproduced the issue: 9/10/08
Vendor last contact: 9/30/08
Public Disclosure: 1/19/09
Oracle security bug id: 7391479
For more information contact Oracle Security Team: secalert_us_at_oracle&#46;com
I really wanted to give a link to a patch, but I think it's better if
this is known by sysadmins so they can filter this using an IDS.
Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

References:

http://seclists.org/fulldisclosure/2009/Jan/0767.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.