|
Oracle Reports / Forms Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA16092
|
|
|
Release Date:
|
2005-07-20
|
|
Last Update:
|
2006-01-20
|
|
Popularity:
|
23,842 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
Privilege escalation
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Oracle Application Server 10g
Oracle Developer Suite 10g
Oracle9i Application Server
Oracle9i Developer Suite
|
|
|
Secunia CVSS-2 Score:
|
Available in Secunia business solutions 
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
| Advisory Content (Page 1 of 3) | [ 1 ] [ 2 ] [ 3 ] | |
|
Description:
Alexander Kornbrust has reported some vulnerabilities in Oracle Reports and Forms, which can be exploited to gain escalated privileges, gain knowledge of certain information, overwrite arbitrary files, conduct cross-site scripting attacks, or potentially compromise a vulnerable system.
1) Input passed to various parameters is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Examples:
http://[host]:7778/reports/rwservlet/showenv?server=reptest&debug=[code]
http://[host]:7778/reports/rwservlet/parsequery?server=myserver&test=[code]
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
user/pass@iasdb+destype=localFile+desformat=delimited+desname=
FILE:+CELLWRAPPER=*+delimiter=[code]
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
user/pass@iasdb+destype=localFile+desformat=delimited+desname=
FILE:+CELLWRAPPER=[code]
The vulnerability has been reported in Oracle Reports 9.0.2 with patchset 2. Other versions may also be affected.
2) It's possible to read a small part of the beginning of any XML file on a vulnerable system by passing the path to the file in the "customize" parameter.
Example:
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
userid=user/pass@iasdb+destype=cache+desformat=xml+CUSTOMIZE=[path_to_file]
3) It's possible to read a small part of the beginning of any file on a vulnerable system by passing the path to the file in the "desformat" parameter.
Example:
http://[host]:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=
userid=user/pass@iasdb+destype=file+MODE=CHARACTER+desformat=[path_to_file]
4) It is possible to overwrite arbitrary files by passing a specially crafted string to the "desname" parameter. On Windows, it is reportedly possible to overwrite any file. On Linux, it possible to overwrite any file belonging to the Oracle Application Server user.
The vulnerability has been reported in Oracle Reports 6.0, 6i, 9i, and 10g.
5) It is possible to execute arbitrary reports files (*.rep and *.rdf) by specifying the path to the file in the "report" parameter. This can be exploited to execute arbitrary commands with user "Oracle" or SYSTEM privileges by local users or people, who can place a malicious reports file in a directory on the server.
Example:
http://[host]:7779/reports/rwservlet?server=repserv+report=[path_to_file]
+destype=cache+desformat=PDF
The vulnerability has been reported in Oracle Reports 6.0, 6i, 9i, and 10g.
6) It is possible to execute arbitrary forms files (*.fmx) by specifying the path to the file in the "form" or "module" parameter. This can be exploited to execute arbitrary commands with user "Oracle" or SYSTEM privileges by local users or people, who can place a malicious reports file in a directory on the server.
Examples:
http://[host]:7779/forms90/f90servlet?form=[path_to_file]
http://[host]:7779/forms90/f90servlet?module=[path_to_file]
The vulnerability has been reported in Oracle Forms 4.5, 5.0, 6.0, 6i, 9i, and 10g.
Change Page:
[ 1 ] [ 2 ] [ 3 ]
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
3rd Jul, 2009
|
New advisories:
|
19 |
|
New vulnerabilities:
|
26 |
|
Updated advisories:
|
22 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
