Oracle rwservlet Report Arbitrary File Overwrite

2004-09-09T19:21:07
ID OSVDB:9815
Type osvdb
Reporter OSVDB
Modified 2004-09-09T19:21:07

Description

Vulnerability Description

Oracle Reports contains a flaw that may allow an attacker to overwrite arbitrary files. The issue is due to the rwservlet not properly sanitizing user input supplied to the 'desname' variable. By supplying an arbitrary file to this variable, the rwservlet script will overwrite the file with report contents.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the 'rwservlet' script from the web server

Short Description

Oracle Reports contains a flaw that may allow an attacker to overwrite arbitrary files. The issue is due to the rwservlet not properly sanitizing user input supplied to the 'desname' variable. By supplying an arbitrary file to this variable, the rwservlet script will overwrite the file with report contents.

Manual Testing Notes

http://[victim]/reports/rwservlet?destype=file&desname=[PATH ON SERVER]

References:

Vendor URL: http://www.oracle.com/ Vendor Specific Advisory URL Related OSVDB ID: 9816