|
Oracle Reports / Forms Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA16092
|
|
|
Release Date:
|
2005-07-20
|
|
Last Update:
|
2006-01-20
|
|
Popularity:
|
20,899 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
Privilege escalation
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Oracle Application Server 10g
Oracle Developer Suite 10g
Oracle9i Application Server
Oracle9i Developer Suite
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2005-2371
CVE-2005-2372
CVE-2005-2378
CVE-2005-2379
|
|
Description:
Alexander Kornbrust has reported some vulnerabilities in Oracle Reports and Forms, which can be exploited to gain escalated privileges, gain knowledge of certain information, overwrite arbitrary files, conduct cross-site scripting attacks, or potentially compromise a vulnerable system.
1) Input passed to various parameters is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Examples:
http://[host]:7778/reports/rwservlet/showenv?server=reptest&debug=[code]
http://[host]:7778/reports/rwservlet/parsequery?server=myserver&test=[code]
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
user/pass@iasdb+destype=localFile+desformat=delimited+desname=
FILE:+CELLWRAPPER=*+delimiter=[code]
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
user/pass@iasdb+destype=localFile+desformat=delimited+desname=
FILE:+CELLWRAPPER=[code]
The vulnerability has been reported in Oracle Reports 9.0.2 with patchset 2. Other versions may also be affected.
2) It's possible to read a small part of the beginning of any XML file on a vulnerable system by passing the path to the file in the "customize" parameter.
Example:
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
userid=user/pass@iasdb+destype=cache+desformat=xml+CUSTOMIZE=[path_to_file]
3) It's possible to read a small part of the beginning of any file on a vulnerable system by passing the path to the file in the "desformat" parameter.
Example:
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
userid=user/pass@iasdb+destype=file+MODE=CHARACTER+desformat=[path_to_file]
4) It is possible to overwrite arbitrary files by passing a specially crafted string to the "desname" parameter. On Windows, it is reportedly possible to overwrite any file. On Linux, it possible to overwrite any file belonging to the Oracle Application Server user.
The vulnerability has been reported in Oracle Reports 6.0, 6i, 9i, and 10g.
5) It is possible to execute arbitrary reports files (*.rep and *.rdf) by specifying the path to the file in the "report" parameter. This can be exploited to execute arbitrary commands with user "Oracle" or SYSTEM privileges by local users or people, who can place a malicious reports file in a directory on the server.
Example:
http://[host]:7779/reports/rwservlet?server=repserv+report=[path_to_file]
+destype=cache+desformat=PDF
The vulnerability has been reported in Oracle Reports 6.0, 6i, 9i, and 10g.
6) It is possible to execute arbitrary forms files (*.fmx) by specifying the path to the file in the "form" or "module" parameter. This can be exploited to execute arbitrary commands with user "Oracle" or SYSTEM privileges by local users or people, who can place a malicious reports file in a directory on the server.
Examples:
http://[host]:7779/forms90/f90servlet?form=[path_to_file]
http://[host]:7779/forms90/f90servlet?module=[path_to_file]
The vulnerability has been reported in Oracle Forms 4.5, 5.0, 6.0, 6i, 9i, and 10g.
Solution:
Vulnerabilities #2, #3 and #4 have been fixed in Oracle Critical Patch Update (January 2006).
Filter requests in a proxy or firewall with URL filtering capabilities. Grant only trusted users access to affected systems and do not allow any untrusted users to upload files.
Provided and/or discovered by:
Alexander Kornbrust, Red-Database-Security.
Changelog:
2005-07-27: Added CVE reference.
2006-01-18: Updated "Solution Status" and "Solution" sections.
2006-01-20: Added links to US-CERT vulnerability notes.
Original Advisory:
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
Red-Database-Security:
http://www.red-database-security.com/advisory/oracle_reports_various_css.html
http://www.red-database-security.com/...oracle_reports_read_any_xml_file.html
http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html
http://www.red-database-security.com/...racle_reports_overwrite_any_file.html
http://www.red-database-security.com/...racle_reports_run_any_os_command.html
http://www.red-database-security.com/.../oracle_forms_run_any_os_command.html
Other References:
US-CERT VU#472148:
http://www.kb.cert.org/vuls/id/472148
US-CERT VU#925261:
http://www.kb.cert.org/vuls/id/925261
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
Today
|
New advisories:
|
8 |
|
New vulnerabilities:
|
27 |
|
Updated advisories:
|
11 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7th Oct, 2008
|
New advisories:
|
19 |
|
New vulnerabilities:
|
68 |
|
Updated advisories:
|
61 |
|
|
|
|
|
|
|
 Solutions | More...
|
|
