| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jan 2009 21:08:29 +0000 From: Mark Thomas <markt@...che.org> To: Eduardo Vela <sirdarckcat@...il.com> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server Eduardo Vela wrote: > Probably one of this are the vulnerabilty descriptions of the bugs: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5460 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4017 Looks to be an exact match with http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 Note that although initially reported as a Tomcat vulnerability, the root cause is a JVM bug. Mark > > If it's the same issue, Oracle didn't contacted me to notify me about it.. > if it is that bug, then it could be fixed via: > https://support.bea.com/application_content/product_portlets/securityadvisories/2810.html > > or in that case > > http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html > > Greetings!! > > -- Eduardo > http://www.sirdarckcat.net/ > > > On Mon, Jan 19, 2009 at 10:56 PM, Eduardo Vela <sirdarckcat@...il.com>wrote: > >> Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 >> Oracle-HTTP-Server >> PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml >> Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 >> Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on >> Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to >> an ASCII-LOW char, that is: ".". >> >> You can read dangerous configuration information including passwords, >> users, paths, etc.. >> Discovered: 8/16/08 >> Vendor contacted: 8/16/08 >> Vendor response: 8/18/08 >> Vendor reproduced the issue: 9/10/08 >> Vendor last contact: 9/30/08 >> Public Disclosure: 1/19/09 >> >> Oracle security bug id: 7391479 >> >> For more information contact Oracle Security Team: secalert_us@...cle.com >> >> I really wanted to give a link to a patch, but I think it's better if >> this is known by sysadmins so they can filter this using an IDS. >> >> Greetings!! >> >> -- Eduardo >> http://www.sirdarckcat.net/ >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists