Security Advisory: [Full-disclosure] Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server

[EN] securityvulns.ru
no-pyccku

Related information
  Oracle applications multiple security vulnerabilities
  Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover
  Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.
ODCITABLESTART
  Team SHATTER Security Advisory: SQL Injection in Oracle Enterprise Manager (TARGET Parameter)
  Oracle Application Server Portal 10g Cross Site Scripting Vulnerability

From: Eduardo Vela <sirdarckcat_(at)_gmail.com>
Date: 20.01.2009
Subject: [Full-disclosure] Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server

Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on
Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to
an ASCII-LOW char, that is: ".".

You can read dangerous configuration information including passwords,
users, paths, etc..
Discovered: 8/16/08
Vendor contacted: 8/16/08
Vendor response: 8/18/08
Vendor reproduced the issue: 9/10/08
Vendor last contact: 9/30/08
Public Disclosure: 1/19/09

Oracle security bug id: 7391479

For more information contact Oracle Security Team: secalert_us@oracle.com

I really wanted to give a link to a patch, but I think it's better if
this is known by sysadmins so they can filter this using an IDS.

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

test server