Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
- To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
- From: "Eduardo Vela" <sirdarckcat@xxxxxxxxx>
- Date: Mon, 19 Jan 2009 22:56:32 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=Q8pmbEp+eGP1CXK4Mcc91OFs5gKd81fbYLNtc+57g5s=; b=fb6xNpTYIOfFSU8w0NTFCxCHvY9/5WbNgXvMvLl4iBmETWm1Ucq12rcw5yZa1LA3qG RzuiAAP9ps0AI0eEGkRoQ/5ca3IK3RoMfNQyBfpMHgNmgAzpyGJQVLz3BbVYnmK6oDcX ZqxMk0VKoBbwkBGT5msaLA9EP43KknTkQpvl4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=Js7kdyYi2YYDTX9AwtAOZoAR12R5L2PJCKbEVeyTwoA+Rq27I7tanSKS1m1EHwGS4p kYKLOP8bvp56rdxmKMJXHYlsqK5gEVKDRH2kO6pHko1QKjx7uImLRcjQ2DZFL+ucdYMD NeGg6qAar0S2YSnGdTaViODya6vs8/GdGFCZA=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on
Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to
an ASCII-LOW char, that is: ".".
You can read dangerous configuration information including passwords,
users, paths, etc..
Discovered: 8/16/08
Vendor contacted: 8/16/08
Vendor response: 8/18/08
Vendor reproduced the issue: 9/10/08
Vendor last contact: 9/30/08
Public Disclosure: 1/19/09
Oracle security bug id: 7391479
For more information contact Oracle Security Team: secalert_us@xxxxxxxxxx
I really wanted to give a link to a patch, but I think it's better if
this is known by sysadmins so they can filter this using an IDS.
Greetings!!
-- Eduardo
http://www.sirdarckcat.net/