Connect with us

Monday, 12 December 2016
2 comments

How To Bypass .htaccess Controls in Oracle Reports For CVE-2012-3152 And CVE-2012-3153

How To Bypass .htaccess Controls in Oracle Reports For CVE-2012-3152 and CVE-2012-3153


Security researcher Dana Taylor discovered CVE-2012-3152/3153 back in 2011/2012.

Some system administrators created .htaccess entries that would block /reports/rwservlet/<command>


 however by removing the “/” from between rwservlet and the command, you can bypass the htaccess control and access the application.



This means vulnerability scanners will need to be updated, pentesters be made aware of it and IDS/IPS companies will need to create new rules to detect this bypass.

Watch Video

2 comments:

  1. Btw, much more and much worse is coming. Make sure to subscribe to my Youtube channel to be informed about them. Arbitrary file overwrites, bypassing of security controls to directly access data, and more. @ohensive_one.

    ReplyDelete

 
Toggle Footer
Top