Date: Wed, 17 Jul 2002 12:47:45 -0700
From: skp <[email protected]>
To: [email protected]Subject: [AP] Oracle Reports Server Information Disclosure Vulnerability
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
+--------------------- -- -
+ advisory information
+------------------ -- -
author: skp <[email protected]>
release date: 07/17/2002
homepage: http://sec.angrypacket.com
advisory id: 0x0004
+-------------------- -- -
+ product information
+----------------- -- -
software: Oracle Reports Server
vendor: Oracle
homepage: http://www.oracle.com
description: Reports Server is a commercially available
reporting package distributed by Oracle.
+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem: Information Disclosure
affected: Oracle Reports Server
explanation: Oracle reports server happily reports an excessive amount
of
system information to unauthenticated remote users. Seems
that
someone likes verbose debugging. These variables include:
# PATH
D:\ORACLE\iSuites\Apache\fastcg;D:\ORACLE\806\jdk\bin
# ORACLE_HOME D:\ORACLE\806
# REPORTS60_PATH D:\WEB_REPORTS
# REPORTS60_TMP D:\ORACLE\806\REPORT60\TMP
Also, rwcgi60 likes to make sure you know versions:
# Oracle Reports Server CGI60 version 6.0, a Win32
executable
# Oracle_Web_Listener/4.0.7.0.0 Enterprise Edition
Oh and don't forget the last few lines:
# Stdin is empty.
# CGI Command Line is used
# main.argv[0] d:\oracle\806\tools\web60\cgi\rwcgi60.EXE
This level of information should not be given out to the
public,
someone could poke an eye out with that stuff. An attacker
could
use information gleaned from rwcgi60 to identify vulnerable
software, dev kits, etc installed on the system which
could be
used as points of entry.
risk: At this time rwcgi60 offers no more than excessive
information
disclosure so this is classified as a low risk exposure.
status: Vendor was notified 07/09/02
exploit: http://some.site.com/cgi-bin/rwcgi60http://some.site.com/cgi-bin/rwcgi60/showenv
fix: Configuration issue. See Oracle note 133957.1 -
Restricting Access
to the Reports Server Environment and Output.
+-------- -- -
+ credits
+----- -- -
Bug was found by skp of AngryPacket security group.
+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
