Vulnerability Note VU#158323

Oracle Configurator discloses version and host information via "test" argument passed to servlet

Overview

A servlet component of Oracle Configurator may post sensitive version and host information to any Web user that makes a crafted request to the server.

I. Description

Oracle Configurator is an Internet application used to configure Oracle Application and Database Servers.

If a user sends a request to the Oracle Configurator servlet component named "oracle.apps.cz.servlet.UiServlet" with CGI variable "test" set to "version", the servlet returns sensitive build and schema information. If a user sends a request with CGI variable "test" set to "host", the servlet returns the hostname and the port on which the Oracle Apache web server is running.

II. Impact

Attackers may learn sensitive information about an Oracle installation, which may aid them in attacking the system.

III. Solution

Apply a patch from your vendor

Refer to Oracle Security Alert #31 for details:

http://technet.oracle.com/deploy/security/htdocs/oconfigvul.html

Systems Affected

Vendor	Status	Date Notified	Date Updated
Oracle	Vulnerable	7-Jun-2002

References

http://technet.oracle.com/deploy/security/htdocs/oconfigvul.html
http://securitytracker.com/alerts/2002/Apr/1003967.html
http://www.securityfocus.com/bid/4433

Credit

Thanks to Oracle for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

Date Public:	2002-04-01
Date First Published:	2002-07-31
Date Last Updated:	2002-07-31
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	9.38
Document Revision:	8

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader