Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[AP] Oracle Reports Server Information Disclosure Vulnerability

From: skp <skp () bigunz angrypacket com>
Date: Wed, 17 Jul 2002 12:47:45 -0700
                 - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -

+--------------------- -- -
+ advisory information
+------------------ -- -
author:       skp <skp () bigunz angrypacket com>
release date: 07/17/2002
homepage:     http://sec.angrypacket.com
advisory id:  0x0004

+-------------------- -- -
+ product information
+----------------- -- -
software:     Oracle Reports Server
vendor:       Oracle
homepage:     http://www.oracle.com
description:  Reports Server is a commercially available
              reporting package distributed by Oracle.

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem:      Information Disclosure
affected:     Oracle Reports Server
explanation: Oracle reports server happily reports an excessive amount of system information to unauthenticated remote users. Seems that 
              someone likes verbose debugging. These variables include:
# PATH D:\ORACLE\iSuites\Apache\fastcg;D:\ORACLE\806\jdk\bin 
              # ORACLE_HOME D:\ORACLE\806
              # REPORTS60_PATH D:\WEB_REPORTS
              # REPORTS60_TMP D:\ORACLE\806\REPORT60\TMP

              Also, rwcgi60 likes to make sure you know versions:
# Oracle Reports Server CGI60 version 6.0, a Win32 executable 
              # Oracle_Web_Listener/4.0.7.0.0 Enterprise Edition

              Oh and don't forget the last few lines:
              # Stdin is empty.
              # CGI Command Line is used
              # main.argv[0] d:\oracle\806\tools\web60\cgi\rwcgi60.EXE
This level of information should not be given out to the public, someone could poke an eye out with that stuff. An attacker could 
              use information gleaned from rwcgi60 to identify vulnerable
software, dev kits, etc installed on the system which could be 
              used as points of entry.
risk: At this time rwcgi60 offers no more than excessive information 
              disclosure so this is classified as a low risk exposure.

status:       Vendor was notified 07/09/02

exploit:      http://some.site.com/cgi-bin/rwcgi60
              http://some.site.com/cgi-bin/rwcgi60/showenv
fix: Configuration issue. See Oracle note 133957.1 - Restricting Access 
              to the Reports Server Environment and Output.

+-------- -- -
+ credits
+----- -- -
Bug was found by skp of AngryPacket security group.

+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.

                  - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -
Previous By Date Next
Previous By Thread Next

Current thread: