Overview
A servlet component of Oracle Configurator may post sensitive version and host information to any Web user that makes a crafted request to the server.
Description
Oracle Configurator is an Internet application used to configure Oracle Application and Database Servers. If a user sends a request to the Oracle Configurator servlet component named "oracle.apps.cz.servlet.UiServlet" with CGI variable "test" set to "version", the servlet returns sensitive build and schema information. If a user sends a request with CGI variable "test" set to "host", the servlet returns the hostname and the port on which the Oracle Apache web server is running. |
Impact
Attackers may learn sensitive information about an Oracle installation, which may aid them in attacking the system. |
Solution
Apply a patch from your vendor |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Oracle for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | None |
| Severity Metric: | 9.38 |
| Date Public: | 2002-04-01 |
| Date First Published: | 2002-07-31 |
| Date Last Updated: | 2002-07-31 22:51 UTC |
| Document Revision: | 8 |