Bugtraq mailing list archives
Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
From: "Eduardo Vela" <sirdarckcat () gmail com>
Date: Mon, 19 Jan 2009 22:56:32 -0600
Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to an ASCII-LOW char, that is: ".". You can read dangerous configuration information including passwords, users, paths, etc.. Discovered: 8/16/08 Vendor contacted: 8/16/08 Vendor response: 8/18/08 Vendor reproduced the issue: 9/10/08 Vendor last contact: 9/30/08 Public Disclosure: 1/19/09 Oracle security bug id: 7391479 For more information contact Oracle Security Team: secalert_us () oracle com I really wanted to give a link to a patch, but I think it's better if this is known by sysadmins so they can filter this using an IDS. Greetings!! -- Eduardo http://www.sirdarckcat.net/
Current thread:
- Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server Eduardo Vela (Jan 20)
- Message not available