Signature Detail

DB: Oracle Report Command Injection

This signature detects attempts to exploit a known vulnerability against Oracle Reports Services, a component of Oracle Application Server. The vulnerability is caused due to a flaw that allows for the unrestricted execution of Reports executables using an absolute path. An attacker with the ability to upload a Reports executable to the application server, might be able to run any OS command or read/write arbitrary text files on the application server.

Extended Description

Oracle Reports Server is susceptible to an unauthorized report execution vulnerability. By placing a report file in a globally accessible location, users can trigger the execution of the report by issuing an HTTP GET request to the affected servlet containing the full path of the file. Attackers may exploit this vulnerability to execute arbitrary commands, or read/write arbitrary files with the privileges of the Oracle account under which the server is executing. It should be noted that this issue may be remotely exploited if an attacker has means to write files to the serving computer (WebDAV, FTP, CIFS, etc.) without local access.

Affected Products

• Oracle Oracle Reports 10g 9.0.0
• Oracle Oracle Reports 10g 9.0.1
• Oracle Oracle Reports 10g 9.0.2
• Oracle Oracle Reports 10g 9.0.3
• Oracle Oracle Reports 10g 9.0.4
• Oracle Oracle Reports 10g 9.0.4 .3.3
• Oracle Oracle Reports 6
• Oracle Oracle Reports6i 6.0.8
• Oracle Oracle Reports6i 6.0.8 .19
• Oracle Oracle Reports 9i

References

• BugTraq: 14316
• URL: http://www.oracle.com/technology/products/reports/index.html
• URL: http://www.securityfocus.com/archive/1/405689