Signature Detail

DB: Oracle Reports XML Disclosure

This signature detects an attempt to disclose the content of arbitrary XML file present on an Oracle Reports Server.

Extended Description

Various Oracle products -- Oracle Database Server, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft Enterprise Portal, JD Edwards EnterpriseOne Tools, OneWorld Tools, Oracle Developer Suite, and Oracle Workflow -- are prone to multiple vulnerabilities. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Oracle has released a Critical Patch Update advisory for January 2006 to address these vulnerabilities. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier, unsupported releases are likely to be affected by the issues as well.

Affected Products

• HP Oracle for OpenView 8.1.7
• HP Oracle for OpenView 9.1.01
• HP Oracle for OpenView 9.2
• Oracle Application Server 10g 10.1.2
• Oracle Application Server 10g 9.0.4
• Oracle Application Server 10g 9.0.4 .1
• Oracle Application Server 10g 9.0.4 .2
• Oracle Application Server Release 2 10.1.2 .0.0
• Oracle Application Server Release 2 10.1.2 .0.1
• Oracle Application Server Release 2 10.1.2 .0.2
• Oracle Collaboration Suite Release 1 10.1.1
• Oracle Collaboration Suite Release 1 10.1.2
• Oracle Collaboration Suite Release 1
• Oracle Collaboration Suite Release 2 9.0.4 .2
• Oracle Developer Suite 10.1.2
• Oracle Developer Suite 9.0.2 .1
• Oracle Developer Suite 9.0.4 .1
• Oracle Developer Suite 9.0.4 .2
• Oracle E-Business Suite 11i 11.5.1
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.2
• Oracle E-Business Suite 11i 11.5.3
• Oracle E-Business Suite 11i 11.5.4
• Oracle E-Business Suite 11i 11.5.5
• Oracle E-Business Suite 11i 11.5.6
• Oracle E-Business Suite 11i 11.5.7
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .3
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .4
• Oracle JD Edwards EnterpriseOne 8.95.0 F1
• Oracle JD Edwards EnterpriseOne SP23_L1
• Oracle Oracle10g Application Server 10.1.2
• Oracle Oracle10g Application Server 10.1.2 .0.1
• Oracle Oracle10g Application Server 10.1.2 .0.2
• Oracle Oracle10g Application Server 10.1.2 .1.0
• Oracle Oracle10g Application Server 9.0.4 .1
• Oracle Oracle10g Application Server 9.0.4 .2
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.3
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.4
• Oracle Oracle10g Personal Edition 10.1.0 .0.3
• Oracle Oracle10g Personal Edition 10.1.0 .0.4
• Oracle Oracle10g Standard Edition 10.1.0 .0.3
• Oracle Oracle10g Standard Edition 10.1.0 .0.4
• Oracle Oracle10g Standard Edition 10.1.0 .0.5
• Oracle Oracle10g Standard Edition 10.1.0 .4.2
• Oracle Oracle10g Standard Edition 10.2.0.1
• Oracle Oracle8 8.0.6
• Oracle Oracle8 8.0.6 .3
• Oracle Oracle8 8.1.7 .4
• Oracle Oracle8i Enterprise Edition 8.1.7.4.0
• Oracle Oracle8i Standard Edition 8.0.6
• Oracle Oracle8i Standard Edition 8.0.6 .3
• Oracle Oracle8i Standard Edition 8.1.7 .4
• Oracle Oracle9i Application Server 1.0.2 .2
• Oracle Oracle 9i Application Server Release 1 1.0.2 .2
• Oracle Oracle9i Enterprise Edition 9.0.1 .4
• Oracle Oracle9i Enterprise Edition 9.0.1 .5
• Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS
• Oracle Oracle9i Standard Edition 9.2.0 .6
• Oracle Oracle9i Standard Edition 9.2.0 .7
• Oracle Workflow 11.5.1
• Oracle Workflow 11.5.9 .5
• PeopleSoft Enterprise Portal 8.4.0
• PeopleSoft Enterprise Portal 8.8.0
• PeopleSoft Enterprise Portal 8.9.0

References

• BugTraq: 16287
• CVE: CVE-2005-2378
• URL: http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html
• URL: http://securitytracker.com/id?1014525
• URL: http://securitytracker.com/id?1014527