A servlet component of Oracle Configurator may post sensitive version and host information to any Web user that makes a crafted request to the server.
Oracle Configurator is an Internet application used to configure Oracle Application and Database Servers.
If a user sends a request to the Oracle Configurator servlet component named "oracle.apps.cz.servlet.UiServlet" with CGI variable "test" set to "version", the servlet returns sensitive build and schema information. If a user sends a request with CGI variable "test" set to "host", the servlet returns the hostname and the port on which the Oracle Apache web server is running.
Attackers may learn sensitive information about an Oracle installation, which may aid them in attacking the system.
Apply a patch from your vendor
Thanks to Oracle for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-07-31|
|Date Last Updated:||2002-07-31 22:51 UTC|