Secunia Logo  


Secunia PSI WorldMap
 
Oracle Reports / Forms Multiple Vulnerabilities
Secunia Advisory: SA16092
Release Date: 2005-07-20
Last Update: 2006-01-20
Popularity: 23,842 views

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of sensitive information
Privilege escalation
System access
Where: From remote
Solution Status: Partial Fix

Software:Oracle Application Server 10g
Oracle Developer Suite 10g
Oracle9i Application Server
Oracle9i Developer Suite

Secunia CVSS-2 Score: Available in Secunia business solutions

Subscribe: Instant alerts on relevant vulnerabilities


Advisory Content (Page 1 of 3)[ 1 ] [ 2 ] [ 3 ]

Description:
Alexander Kornbrust has reported some vulnerabilities in Oracle Reports and Forms, which can be exploited to gain escalated privileges, gain knowledge of certain information, overwrite arbitrary files, conduct cross-site scripting attacks, or potentially compromise a vulnerable system.

1) Input passed to various parameters is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

Examples:
http://[host]:7778/reports/rwservlet/showenv?server=reptest&debug=[code]
http://[host]:7778/reports/rwservlet/parsequery?server=myserver&test=[code]
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
user/pass@iasdb+destype=localFile+desformat=delimited+desname=
FILE:+CELLWRAPPER=*+delimiter=[code]
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
user/pass@iasdb+destype=localFile+desformat=delimited+desname=
FILE:+CELLWRAPPER=[code]

The vulnerability has been reported in Oracle Reports 9.0.2 with patchset 2. Other versions may also be affected.

2) It's possible to read a small part of the beginning of any XML file on a vulnerable system by passing the path to the file in the "customize" parameter.

Example:
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
userid=user/pass@iasdb+destype=cache+desformat=xml+CUSTOMIZE=[path_to_file]

3) It's possible to read a small part of the beginning of any file on a vulnerable system by passing the path to the file in the "desformat" parameter.

Example:
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
userid=user/pass@iasdb+destype=file+MODE=CHARACTER+desformat=[path_to_file]

4) It is possible to overwrite arbitrary files by passing a specially crafted string to the "desname" parameter. On Windows, it is reportedly possible to overwrite any file. On Linux, it possible to overwrite any file belonging to the Oracle Application Server user.

The vulnerability has been reported in Oracle Reports 6.0, 6i, 9i, and 10g.

5) It is possible to execute arbitrary reports files (*.rep and *.rdf) by specifying the path to the file in the "report" parameter. This can be exploited to execute arbitrary commands with user "Oracle" or SYSTEM privileges by local users or people, who can place a malicious reports file in a directory on the server.

Example:
http://[host]:7779/reports/rwservlet?server=repserv+report=[path_to_file]
+destype=cache+desformat=PDF

The vulnerability has been reported in Oracle Reports 6.0, 6i, 9i, and 10g.

6) It is possible to execute arbitrary forms files (*.fmx) by specifying the path to the file in the "form" or "module" parameter. This can be exploited to execute arbitrary commands with user "Oracle" or SYSTEM privileges by local users or people, who can place a malicious reports file in a directory on the server.

Examples:
http://[host]:7779/forms90/f90servlet?form=[path_to_file]
http://[host]:7779/forms90/f90servlet?module=[path_to_file]

The vulnerability has been reported in Oracle Forms 4.5, 5.0, 6.0, 6i, 9i, and 10g.

Change Page:
[ 1 ] [ 2 ] [ 3 ]



Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. Apache mod_proxy Reverse Proxy Denial of Service Vulnerability // 32 views
2. Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability // 31 views
3. phpBB Cross Site Scripting and Unspecified Vulnerabilities // 29 views
4. SAM Broadcaster samPHPweb "commonpath" File Inclusion Vulnerability // 27 views
5. Adobe Flash Player Multiple Vulnerabilities // 24 views
6. Internet Explorer 7 Window Injection Vulnerability // 17 views
7. Microsoft Word Malformed Object Pointer Vulnerability // 17 views
8. Sun Lightweight Availability Collection Tool File Overwrite Vulnerability // 17 views
9. Apple Safari WebKit "servePendingRequests()" Use-After-Free Weakness // 17 views
10. Adobe Reader/Acrobat Multiple Vulnerabilities // 14 views