[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] TeamSHATTER Security Advisory: Oracle Database Vault Administrator web console Session ID disclosure
- To: Shatter <shatter@xxxxxxxxxxxxx>
- Subject: [Full-disclosure] TeamSHATTER Security Advisory: Oracle Database Vault Administrator web console Session ID disclosure
- From: Shatter <shatter@xxxxxxxxxxxxx>
- Date: Fri, 21 Jan 2011 15:35:21 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TeamSHATTER Security Advisory
January 20, 2011
Risk Level:
Low
Affected versions:
Oracle Database Server version 10gR2, 11gR1 and 11gR2
Remote exploitable:
No
Credits:
This vulnerability was discovered and researched by Esteban Martínez Fayó of
Application Security Inc.
Details:
It is possible to know the Session ID getting the directory contents from
ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/images/dvcache
In this directory there are some .gif files that have a valid web session id in
their names.
This directory has read permissions for everyone by default.
For example, file
h1cbd8d13de4ee4b81582d4fb826721da377b75e605866045fb1b415fc0ab428d61271722801217.gif
corresponds to session ID:
cbd8d13de4ee4b81582d4fb826721da377b75e605866045fb1b415fc0ab428d6
These .gif files seem to be auto-generated when the 'Monitor' web page is
accessed by an administrator from the Oracle Database Vault Administrator web
console.
After getting a valid Session ID an attacker can impersonate the web
application user and make web requests on his behalf.
Impact:
It is possible for a local user to know the Session ID of an administrator that
is using the Oracle Database Vault Administrator web console and perform
operations on the administrator's behalf.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability. To narrow the time window when
this vulnerability can be exploited you should Log off from Oracle Database
Vault Administrator web console as soon as you finished using it and do not
keep the session open until it expires.
Fix:
Apply Oracle Critical Patch Update January 2011 available at Oracle Metalink.
CVE:
CVE-2010-4420
Links:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://www.teamshatter.com/topics/security-advisory/advisory-oracle-database-vault-administrator-web-console-session-id-disclosure
Timeline:
Vendor Notification - 6/30/2010
Vendor Response - 6/30/2010
Fix - 1/18/2011
Public Disclosure - 1/20/2011
Application Security, Inc's database security solutions have helped over 2000
organizations secure their databases from all internal and external threats
while also ensuring that those organizations meet or exceed regulatory
compliance and audit requirements.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
iEYEARECAAYFAk057e8ACgkQRx91imnNIgEIHACdGiyDfMRocfKsH19kSGKQcqwq
ZCIAoNgGFemBsdxPAgOYRRBRM63CF/Fh
=aooB
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/