lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 20 Jan 2009 15:44:42 -0600
From: "Eduardo Vela" <sirdarckcat@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Oracle Containers For Java Directory
	Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0)
	Oracle HTTP Server

Probably one of this are the vulnerabilty descriptions of the bugs:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4017

If it's the same issue, Oracle didn't contacted me to notify me about it..
if it is that bug, then it could be fixed via:
https://support.bea.com/application_content/product_portlets/securityadvisories/2810.html

or in that case

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/


On Mon, Jan 19, 2009 at 10:56 PM, Eduardo Vela <sirdarckcat@...il.com>wrote:

> Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0
> Oracle-HTTP-Server
> PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
> Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
> Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on
> Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to
> an ASCII-LOW char, that is: ".".
>
> You can read dangerous configuration information including passwords,
> users, paths, etc..
> Discovered: 8/16/08
> Vendor contacted: 8/16/08
> Vendor response: 8/18/08
> Vendor reproduced the issue: 9/10/08
> Vendor last contact: 9/30/08
> Public Disclosure: 1/19/09
>
> Oracle security bug id: 7391479
>
> For more information contact Oracle Security Team: secalert_us@...cle.com
>
> I really wanted to give a link to a patch, but I think it's better if
> this is known by sysadmins so they can filter this using an IDS.
>
> Greetings!!
>
> -- Eduardo
> http://www.sirdarckcat.net/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ