OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: skp (skp_at_bigunz.angrypacket.com)
Date: Wed Jul 17 2002 - 14:47:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                      - -- ------------------------- -- -
    [>(] AngryPacket Security Advisory [>(]
                       - -- ------------------------- -- -

    +--------------------- -- -
    + advisory information
    +------------------ -- -
    author: skp <skpbigunz.angrypacket.com>
    release date: 07/17/2002
    homepage: http://sec.angrypacket.com
    advisory id: 0x0004

    +-------------------- -- -
    + product information
    +----------------- -- -
    software: Oracle Reports Server
    vendor: Oracle
    homepage: http://www.oracle.com
    description: Reports Server is a commercially available
                   reporting package distributed by Oracle.

    +---------------------- -- -
    + vulnerability details
    +------------------- -- -
    problem: Information Disclosure
    affected: Oracle Reports Server
    explanation: Oracle reports server happily reports an excessive amount
    of
                   system information to unauthenticated remote users. Seems
    that
                   someone likes verbose debugging. These variables include:

                   # PATH
    D:\ORACLE\iSuites\Apache\fastcg;D:\ORACLE\806\jdk\bin
                   # ORACLE_HOME D:\ORACLE\806
                   # REPORTS60_PATH D:\WEB_REPORTS
                   # REPORTS60_TMP D:\ORACLE\806\REPORT60\TMP

                   Also, rwcgi60 likes to make sure you know versions:
                   # Oracle Reports Server CGI60 version 6.0, a Win32
    executable
                   # Oracle_Web_Listener/4.0.7.0.0 Enterprise Edition

                   Oh and don't forget the last few lines:
                   # Stdin is empty.
                   # CGI Command Line is used
                   # main.argv[0] d:\oracle\806\tools\web60\cgi\rwcgi60.EXE

                   This level of information should not be given out to the
    public,
                   someone could poke an eye out with that stuff. An attacker
    could
                   use information gleaned from rwcgi60 to identify vulnerable
                   software, dev kits, etc installed on the system which
    could be
                   used as points of entry.

    risk: At this time rwcgi60 offers no more than excessive
    information
                   disclosure so this is classified as a low risk exposure.

    status: Vendor was notified 07/09/02

    exploit: http://some.site.com/cgi-bin/rwcgi60
                   http://some.site.com/cgi-bin/rwcgi60/showenv

    fix: Configuration issue. See Oracle note 133957.1 -
    Restricting Access
                   to the Reports Server Environment and Output.

    +-------- -- -
    + credits
    +----- -- -
    Bug was found by skp of AngryPacket security group.

    +----------- -- -
    + disclaimer
    +-------- -- -
    The contents of this advisory are Copyright (c) 2002 AngryPacket
    Security, and may be distributed freely provided that no fee is charged
    for distribution and that proper credit is given. As such, AngryPacket
    Security group, collectively or individually, shall not be held liable
    or responsible for the misuse of any information contained herein.

                       - -- ------------------------- -- -
    [>(] AngryPacket Security Advisory [>(]
                       - -- ------------------------- -- -