Bugtraq mailing list archives
[AP] Oracle Reports Server Information Disclosure Vulnerability
From: skp <skp () bigunz angrypacket com>
Date: Wed, 17 Jul 2002 12:47:45 -0700
- -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- - +--------------------- -- - + advisory information +------------------ -- - author: skp <skp () bigunz angrypacket com> release date: 07/17/2002 homepage: http://sec.angrypacket.com advisory id: 0x0004 +-------------------- -- - + product information +----------------- -- - software: Oracle Reports Server vendor: Oracle homepage: http://www.oracle.com description: Reports Server is a commercially available reporting package distributed by Oracle. +---------------------- -- - + vulnerability details +------------------- -- - problem: Information Disclosure affected: Oracle Reports Serverexplanation: Oracle reports server happily reports an excessive amount of system information to unauthenticated remote users. Seems that
someone likes verbose debugging. These variables include:# PATH D:\ORACLE\iSuites\Apache\fastcg;D:\ORACLE\806\jdk\bin
# ORACLE_HOME D:\ORACLE\806 # REPORTS60_PATH D:\WEB_REPORTS # REPORTS60_TMP D:\ORACLE\806\REPORT60\TMP Also, rwcgi60 likes to make sure you know versions:# Oracle Reports Server CGI60 version 6.0, a Win32 executable
# Oracle_Web_Listener/4.0.7.0.0 Enterprise Edition Oh and don't forget the last few lines: # Stdin is empty. # CGI Command Line is used # main.argv[0] d:\oracle\806\tools\web60\cgi\rwcgi60.EXEThis level of information should not be given out to the public, someone could poke an eye out with that stuff. An attacker could
use information gleaned from rwcgi60 to identify vulnerablesoftware, dev kits, etc installed on the system which could be
used as points of entry.risk: At this time rwcgi60 offers no more than excessive information
disclosure so this is classified as a low risk exposure. status: Vendor was notified 07/09/02 exploit: http://some.site.com/cgi-bin/rwcgi60 http://some.site.com/cgi-bin/rwcgi60/showenvfix: Configuration issue. See Oracle note 133957.1 - Restricting Access
to the Reports Server Environment and Output. +-------- -- - + credits +----- -- - Bug was found by skp of AngryPacket security group. +----------- -- - + disclaimer +-------- -- - The contents of this advisory are Copyright (c) 2002 AngryPacket Security, and may be distributed freely provided that no fee is charged for distribution and that proper credit is given. As such, AngryPacket Security group, collectively or individually, shall not be held liable or responsible for the misuse of any information contained herein. - -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- -
Current thread:
- [AP] Oracle Reports Server Information Disclosure Vulnerability skp (Jul 18)