Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Path traversal in oracle forms and report

fe2cf169-9999-4703-8814-91becc8143d8Jul 10 2018 — edited Jul 10 2018

0down vote favorit

Im using oracle reports with oracle database 10g R2, however there is a bug like local file inclusion or maybe code execution in my report url.

when someone access url like this : mysite.com:7777/reports/rwservlet?report=test.pdf+desformat=html+destype=cache+JOBTYPE=rwurl+URLPARAMETER="file:///etc/passwd"

it will be download a file contain a user and directory from my server. Anyone can explain to me how to patch this bug ? is there any patch available from oracle, or maybe I must fix this bug by adding some filtering / escape in my vulnerable parameter.

Thank u very much.

Locked Post

New comments cannot be posted to this locked post.

Locked on Aug 7 2018

Added on Jul 10 2018

#database-security, #database-security-general

0 comments

474 views