{"vuid":"VU#472148","idnumber":"472148","name":"Oracle Reports arbitrary file writing vulnerability","keywords":["Oracle","Application Server","overwriting of files","Oracle Reports","REP06","oracle_cpu_january_2006"],"overview":"Oracle Reports fails to validate URI parameters, possibly allowing a remote attacker to overwrite arbitrary files on the Reports Server.","clean_desc":"Oracle Reports is an enterprise reporting tool that extracts data from multiple sources and inserts it into a formatted report. It is a component of Oracle Application Server and the Oracle Developer Suite. Oracle Reports are accessible over a network via a URI. Improper validation on the desname URI parameter may allow a remote attacker to overwrite or create arbitrary files on the server where the Oracle Reports service is installed. Based on research into public information, we believe that this issue is Oracle vuln# REP06 in the Oracle CPU for January 2006. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties.","impact":"By sending a specially crafted URI to Oracle Reports, a remote attacker may be able to overwrite files on the server with the privileges of the Oracle Reports process. Depending on which file was created or overwritten, this could allow the attacker to gain elevated privileges or a cause a denial-of-service condition on the system.","resolution":"Apply patches \nThis issue is corrected in the Oracle Critical Patch Update for January 2006.","workarounds":"Restrict Access to Reports Server Allowing only trusted users access to Oracle Reports may reduce the chances of exploitation.","sysaffected":"","thanks":"This document is based on information provided by Alexander Kornbrust.","author":"This document was written by Jeff Gennari.","public":["http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html","http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html","http://secunia.com/advisories/16092/","http://www.securityfocus.com/bid/14309","http://securitytracker.com/id?1014524","http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html"],"cveids":["CVE-2005-2371"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-04-15T17:57:11Z","publicdate":"2005-07-21T00:00:00Z","datefirstpublished":"2006-01-19T16:34:47Z","dateupdated":"2006-01-20T16:42:17Z","revision":84,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"9","cam_population":"13","cam_impact":"13","cam_easeofexploitation":"14","cam_attackeraccessrequired":"12","cam_scorecurrent":"12.7764","cam_scorecurrentwidelyknown":"15.43815","cam_scorecurrentwidelyknownexploited":"26.08515","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.7764,"vulnote":null}