Oracle iPlanet Web Server | ¶à¸ö°²È«·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-05-12

0x00 ·ì϶¸ÅÊö



²úÆ·

CVE ID

Àà ÐÍ

·ì϶µÈ¼¶

Ô¶³ÌÀûÓÃ

Ó°ÏìÁìÓò

Oracle iPlanet Web Server

CVE-2020-9314

I

ÖÐΣ

ÊÇ

Oracle iPlanet Web Server 7.0.x°æ±¾

CVE-2020-9315

ÖÐΣ

ÊÇ


0x01 ·ì϶ÏêÇé


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website


Oracle iPlanet Web Server£¨OiWS£©ÊÇÃÀ¹ú¼×¹ÇÎÄ£¨Oracle£©¹«Ë¾µÄÒ»¿îÖØÒªÓÃÓÚÖÐÐͺʹóÐÍÒµÎñÀûÓ÷¨Ê½µÄWeb·þÎñÆ÷¡£¡£ ¡£¡£¡£¡£¡£¡£

×î½ü£¬£¬£¬£¬ £¬£¬£¬£¬×êÑÐÈËÔ±·¢ÏÖÁËÁ½¸öÓ°ÏìOracle iPlanet Web ServerµÄ°²È«·ì϶£¬£¬£¬£¬ £¬£¬£¬£¬¸ú×Ùµ½µÄ·ì϶ΪCVE-2020-9314ºÍCVE-2020-9315£¬£¬£¬£¬ £¬£¬£¬£¬ËüÃÇ¿ÉÄܵ¼ÖÂ×¢Èë¹¥»÷ºÍÃô¸ÐÊý¾Ýй¶¡£¡£ ¡£¡£¡£¡£¡£¡£

CVE-2020-9314ÊÇOracle iPlanet Web ServerµÄWebÖÎÀí½ÚÔį̀ÖдæÔÚµÄÒ»¸ö×¢Èë·ì϶¡£¡£ ¡£¡£¡£¡£¡£¡£ÖÎÀí½ÚÔį̀Öеġ°productNameSrc¡±²ÎÊýÔÊÐí×¢Èë±í²¿Ó³Ïñ¡£¡£ ¡£¡£¡£¡£¡£¡£µ±Óë¡°productNameHeight¡±ºÍ¡°productNameWidth¡±²ÎÊý½áºÏʹÓÃʱ£¬£¬£¬£¬ £¬£¬£¬£¬Äܹ»½«±í²¿Í¼Ïñ×¢ÈëÕ¾µãÒÔÀûÓÚÍøÂç´¹µö¡£¡£ ¡£¡£¡£¡£¡£¡£ÕâÊÇÓÉÓÚCVE-2012-0516µÄ½¨²¹·¨Ê½²»ÆëÈ«ËùÖ¡£¡£ ¡£¡£¡£¡£¡£¡£½ÏÔçµÄ½¨¸´·¨Ê½Ôö³¤ÁËÕë¶ÔXSSÎÊÌâµÄÑéÖ¤£¬£¬£¬£¬ £¬£¬£¬£¬µ«¶ÔÈ·±£Ã»ÓмÓÔØ±í²¿Ó³ÏñδÔö³¤ÑéÖ¤¡£¡£ ¡£¡£¡£¡£¡£¡£

·ì϶ÑéÖ¤¿É³¢ÊÔÒÔÏÂÁ´½Ó£º

http://%5Btarget%5D/admingui/version/Version?&productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500

http://%5Btarget%5D/admingui/version/Masthead.jsp?productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500

CVE-2020-9315ÊÇOracle iPlanet Web ServerµÄWebÖÎÀí½ÚÔį̀ÖдæÔÚµÄÒ»¸ö°²È«·ì϶¡£¡£ ¡£¡£¡£¡£¡£¡£¸Ã·ì϶ʹµÃÎÞÐèÉí·ÝÑéÖ¤¼´¿É´Ó½ÚÔį̀ÖеÄÈκÎÒ³Ãæ¶ÁÊØÐÅÏ¢¡£¡£ ¡£¡£¡£¡£¡£¡£Õâ¿ÉÄܵ¼ÖÂÓйطþÎñÆ÷µÄÅäÏàÐÅÏ¢£¨Ô̺¬¼ÓÃÜÃÜÔ¿£¬£¬£¬£¬ £¬£¬£¬£¬JVMÅäÖúÍÆäËûÊý¾Ý£©µÄÃô¸ÐÊý¾Ýй¶¡£¡£ ¡£¡£¡£¡£¡£¡£¿£¿£¿£¿£¿£Äܹ»Í¨¹ý´úÌæÖÎÀí½ÚÔį̀ÖÐÈκÎÒ³ÃæµÄÈκÎURLÀ´ÊµÏÖ£¬£¬£¬£¬ £¬£¬£¬£¬ÈçÏÂËùʾ£º

http://%5Btarget%5D/admingui/admingui/*

http://%5Btarget%5D/admingui/°æ±¾/*

·ì϶ÑéÖ¤¿É³¢ÊÔÒÔÏÂÁ´½Ó£º

http://%5Btarget%5D/admingui/version/

http://%5Btarget%5D/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.Tabhref=2


0x02 ´ëÖý¨Òé


ÓÉÓÚOracle²»ÔÙÖ§³ÖOracle iPlanet Web Server 7.0.x£¬£¬£¬£¬ £¬£¬£¬£¬ËùÒÔ²»³ïËã°ä²¼°²È«²¹¶¡·¨Ê½¡£¡£ ¡£¡£¡£¡£¡£¡£

һʱ´ëÊ©£º

×îа汾µÄOracle GlassfishºÍEclipse GlassfishÓëiPlanet¹²ÏíͨÓôúÂ룬£¬£¬£¬ £¬£¬£¬£¬ÒÑͨ¹ý²âÊÔ£¬£¬£¬£¬ £¬£¬£¬£¬Ã»Óзì϶£¬£¬£¬£¬ £¬£¬£¬£¬½¨ÒéÊÜÓ°ÏìÓû§ÏÂÔØʹÓᣡ£ ¡£¡£¡£¡£¡£¡£

Ï޶ȴÓInternetµ½Oracle iPlanet Web ServerµÄWebÖÎÀí½ÚÔį̀µÄ½Ó¼û£¬£¬£¬£¬ £¬£¬£¬£¬Ö»ÔÊÐí¿ÉÐÅip½Ó¼û¡£¡£ ¡£¡£¡£¡£¡£¡£


0x03 ÓйØÐÂÎÅ


https://securityaffairs.co/wordpress/103055/hacking/oracles-iplanet-web-server-flaws.html?utm_source=rss&utm_medium=rss&utm_campaign=oracles-iplanet-web-server-flaws


0x04 ²Î¿¼Á´½Ó


https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/

https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf


0x05 ¹¦·òÏß


2020-05-12 VSRC°ä²¼·ì϶¹«¸æ


8827Ì«Ñô¼¯ÍÅ(Macau)¹É·ÝÓÐÏÞ¹«Ë¾-Official website