Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
Related: http://cve.mitre.org/cgi-bin/
Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to an ASCII-LOW char, that is: ".".
You can read dangerous configuration information including passwords, users, paths, etc..
Discovered: 8/16/08
Vendor contacted: 8/16/08
Vendor response: 8/18/08
Vendor reproduced the issue: 9/10/08
Vendor last contact: 9/30/08
Public Disclosure: 1/19/09
Oracle security bug id: 7391479
For more information contact Oracle Security Team: secalert_us@oracle.com
I really wanted to give a link to a patch, but I think it's better if this is known by sysadmins so they can filter this using an IDS.
Greetings!!
Monday, January 19, 2009
Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
at 10:27 PM
Labels: directory traversal, oracle