lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Dec 23 08:23:55 2005 From: j.greil at sec-consult.com (Johannes Greil) Subject: SEC Consult SA-20051223-1 :: File Disclosure using df_next_page parameter in OracleAS Discussion Forum Portlet SEC Consult Security Advisory < 20051223-1 > ======================================================================== title: < File Disclosure using df_next_page parameter in OracleAS Discussion Forum Portlet > program: < OracleAS Discussion Forum Portlet > vulnerable version: < Version of May 2005 > homepage: < http://www.oracle.com > found: < 2005-09-16 > by: < Johannes Greil > SEC-CONSULT / www.sec-consult.com ======================================================================== vendor description: ------------------- Oracle's business is information - how to manage it, use it, share it, protect it. For nearly three decades, Oracle, the world's largest enterprise software company, has provided the software and services that let organizations get the most up-to-date and accurate information from their business systems. [www.oracle.com] vulnerability overview: ----------------------- It is possible to read arbitrary files of the system such as the WEB-INF directory through the discussion forum portlet. An attacker needs to know the file names. proof of concept: ----------------- By requesting the forum URL and adding a null character "%00" to the "df_next_page" parameter, it is possible to retrieve the source code of the JSP files or other content on the server. e.g. $ GET http://$host/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL& df_next_page=htdocs/search.jsp%00 vulnerable versions: -------------------- Version of May 2005 http://www.oracle.com/technology/products/ias/portal/point_downloads.html#forum vendor status: -------------- vendor notified: 2005-09-26 vendor response: 2005-09-27 patch available: - The first response from Oracle was on 27th September (assigning bug numbers) with a more detailed answer on 28th September. They explicitly said that the forum is sample code and shouldn't be used in a production environment although it can be found in such installations. The last email from Oracle was on 21st October saying that they will fix it "hopefully within the next 4 weeks". Asking them for a status update at the beginning of December and another email on 19th December didn't trigger any responses hence this advisory is being released. solution: --------- Only use the forum portlet in test installations and not in a production environment. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < Johannes Greil > / www.sec-consult.com / SGT ::: < tke, mei, bmu, dfa > ::: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3248 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051223/6e9283c1/smime.bin
Powered by blists - more mailing lists