- -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                   - -- ------------------------- -- -

+--------------------- -- -
+ advisory information
+------------------ -- -
author:       skp <skp@bigunz.angrypacket.com>
release date: 07/17/2002
homepage:     http://sec.angrypacket.com
advisory id:  0x0004

+-------------------- -- -
+ product information
+----------------- -- -
software:     Oracle Reports Server
vendor:       Oracle
homepage:     http://www.oracle.com
description:  Reports Server is a commercially available
               reporting package distributed by Oracle.

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem:      Information Disclosure
affected:     Oracle Reports Server
explanation:  Oracle reports server happily reports an excessive amount 
of
               system information to unauthenticated remote users. Seems 
that
               someone likes verbose debugging. These variables include:

               # PATH 
D:\ORACLE\iSuites\Apache\fastcg;D:\ORACLE\806\jdk\bin
               # ORACLE_HOME D:\ORACLE\806
               # REPORTS60_PATH D:\WEB_REPORTS
               # REPORTS60_TMP D:\ORACLE\806\REPORT60\TMP

               Also, rwcgi60 likes to make sure you know versions:
               # Oracle Reports Server CGI60 version 6.0, a Win32 
executable
               # Oracle_Web_Listener/4.0.7.0.0 Enterprise Edition

               Oh and don't forget the last few lines:
               # Stdin is empty.
               # CGI Command Line is used
               # main.argv[0] d:\oracle\806\tools\web60\cgi\rwcgi60.EXE

               This level of information should not be given out to the 
public,
               someone could poke an eye out with that stuff. An attacker 
could
               use information gleaned from rwcgi60 to identify vulnerable
               software, dev kits, etc installed on the system which 
could be
               used as points of entry.

risk:         At this time rwcgi60 offers no more than excessive 
information
               disclosure so this is classified as a low risk exposure.

status:       Vendor was notified 07/09/02

exploit:      http://some.site.com/cgi-bin/rwcgi60
               http://some.site.com/cgi-bin/rwcgi60/showenv

fix:          Configuration issue. See Oracle note 133957.1 - 
Restricting Access
               to the Reports Server Environment and Output.

+-------- -- -
+ credits
+----- -- -
Bug was found by skp of AngryPacket security group.

+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.

                   - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                   - -- ------------------------- -- -