Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Files Configuration May Disclose Restricted Contents to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1008024
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 28 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 9.0.3.1.x, 9.0.3.2.0, and 9.0.3.3.x
|
Description: A vulnerability was reported in Oracle Files, a component of Oracle Collaboration Suite Release 1. A remote authenticated user may be able to gain access to restricted files.
It is reported that Oracle Files does not override the Oracle WebCache default cache rules (set to cache js, html, pdf, bmp/png,
and jpg/jpeg files). As a result, some of these types of files in a restricted folder can reportedly be accessed by remote authenticated
users.
Releases 9.0.3.1.x, 9.0.3.2.0, and 9.0.3.3.x are affected.
Oracles notes that Release 9.0.4.1.x is not affected and
E-business Suite is also not affected.
|
Impact: A remote authenticated user may be able to view restricted content on the target server.
|
Solution: The vendor has issued a patched version (9.0.3.3.6), available via MetaLink at:
http://metalink.oracle.com
Look for patch number
3036419.
Oracle has also described some workaround steps in their advisory, available at:
http://otn.oracle.com/deploy/security/pdf/2003alert60.pdf
|
Vendor URL: otn.oracle.com/deploy/security/pdf/2003alert60.pdf (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 28 Oct 2003 16:17:30 -0500
Subject: http://otn.oracle.com/deploy/security/pdf/2003alert60.pdf
|
http://otn.oracle.com/deploy/security/pdf/2003alert60.pdf
> Oracle Security Alert #60
> Dated: 28 October 2003
> Severity: 2
Oracle reported that there is a vulnerability in "Oracle Files", shipped with Oracle
Collaboration Suite Release 1. A remote authenticated user may be able to gain access to
restricted content, the report said.
According to the report, the Oracle WebCache default cache rules (set to cache js, html,
pdf, bmp/png, and jpg/jpeg files) are not overridden by Oracle Files. As a result, some
of these types of files in a restricted folder can be accessed by remote authenticated users.
Releases 9.0.3.1.x, 9.0.3.2.0, and 9.0.3.3.x are affected.
Oracles notes that Release 9.0.4.1.x is not affected and E-business Suite is also not
affected.
The vendor has issued a patched version (9.0.3.3.6), available via MetaLink at:
http://metalink.oracle.com
Look for patch number 3036419.
|
|
Go to the Top of This SecurityTracker Archive Page
|
