Probably one of this are the vulnerabilty descriptions of the bugs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4017
If it's the same issue, Oracle didn't contacted me to notify me about it.. if it is that bug, then it could be fixed via: https://support.bea.com/application_content/product_portlets/securityadvisories/2810.html or in that case http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Greetings!! -- Eduardo http://www.sirdarckcat.net/ On Mon, Jan 19, 2009 at 10:56 PM, Eduardo Vela <sirdarck...@gmail.com>wrote: > Server Version Info: Oracle-Application-Server-10g/10.1.3.1.0 > Oracle-HTTP-Server > PoC: http://OC4J/web-app/foobar/%c0%ae%c0%ae/WEB-INF/web.xml > Related: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 > Explaination: The "%c0%ae%c0%ae" is interpreted as: ".." because on > Java's side: "%c0%ae" is interpreted as: "\uC0AE" that get's casted to > an ASCII-LOW char, that is: ".". > > You can read dangerous configuration information including passwords, > users, paths, etc.. > Discovered: 8/16/08 > Vendor contacted: 8/16/08 > Vendor response: 8/18/08 > Vendor reproduced the issue: 9/10/08 > Vendor last contact: 9/30/08 > Public Disclosure: 1/19/09 > > Oracle security bug id: 7391479 > > For more information contact Oracle Security Team: secalert...@oracle.com > > I really wanted to give a link to a patch, but I think it's better if > this is known by sysadmins so they can filter this using an IDS. > > Greetings!! > > -- Eduardo > http://www.sirdarckcat.net/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
