OSVDB ID: 86394

Title: Oracle Forms and Reports Developer Component Servlet /reports/rwservlet/parsequery Cleartext Database Credentials Remote Disclosure

Info

Disclosure

Oct 16, 2012

Discovery

Unknown

Dates

Exploit

Jan 27, 2014

Solution

Oct 16, 2012

Description

Oracle Forms and Reports contains a flaw that is triggered when a request is made to the /reports/rwservlet/parsequery script. By supplying a specific keymap (obtainable via /reports/rwservlet/showmap query), the program will return diagnostic information including the cleartext database credentials.

Classification

Location: Remote / Network Access
Attack Type: Cryptographic
Impact: Loss of Confidentiality
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory in the references section.

Products

Oracle Corporation

Forms and Reports

11.1.2.0
11.1.1.4

References

Credit

Unknown or Incomplete



Direct URL: http://osvdb.org/86394