Re: [Full-disclosure] Oracle Containers For Java Directory-Traversal- (OC4J) Oracle Application Server 10g (10.1.3.1.0)-Oracle HTTP Server

From: Mark Thomas <markt@apache.org>
To: Eduardo Vela <sirdarckcat@gmail.com>
Cc: bugtraq@securityfocus.com,full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Oracle Containers For Java Directory-Traversal- (OC4J) Oracle Application Server 10g (10.1.3.1.0)-Oracle HTTP Server
Date:


Eduardo Vela wrote:
> Probably one of this are the vulnerabilty descriptions of the bugs:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5460
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4017

Looks to be an exact match with
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938

Note that although initially reported as a Tomcat vulnerability, the root cause
is a JVM bug.

Mark


> 
> If it's the same issue, Oracle didn't contacted me to notify me about it..
> if it is that bug, then it could be fixed via:
> https://support.bea.com/application_content/product_portlets/securityadvisories/2810.html
> 
> or in that case
> 
> http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
> 
> Greetings!!
> 
> -- Eduardo
> http://www.sirdarckcat.net/
> 
> 
> On Mon, Jan 19, 2009 at 10:56 PM, Eduardo Vela <sirdarckcat@gmail.com>wrote:
> 
>> Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0
>> Oracle-HTTP-Server
>> PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml
>> Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
>> Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on
>> Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to
>> an ASCII-LOW char, that is: ".".
>>
>> You can read dangerous configuration information including passwords,
>> users, paths, etc..
>> Discovered: 8/16/08
>> Vendor contacted: 8/16/08
>> Vendor response: 8/18/08
>> Vendor reproduced the issue: 9/10/08
>> Vendor last contact: 9/30/08
>> Public Disclosure: 1/19/09
>>
>> Oracle security bug id: 7391479
>>
>> For more information contact Oracle Security Team: secalert_us@oracle.com
>>
>> I really wanted to give a link to a patch, but I think it's better if
>> this is known by sysadmins so they can filter this using an IDS.
>>
>> Greetings!!
>>
>> -- Eduardo
>> http://www.sirdarckcat.net/
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/






Copyright © 1995-2019 LinuxRocket.net. All rights reserved.