Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add CVE-2019-2557 - Oracle Application Testing Suite Directory Traversal #11822
Oracle Application Testing Suite (OATS) is a comprehensive, integrated testing solution for web applications, web services, packaged Oracle applications, and Oracle databases. OATS is part of an application deployed in the WebLogic service on port 8088, which also includes these tools: Administrator, OpenScript, Oracle Load Testing, and Oracle Test Manager.
In the Load Testing component, a vulnerability was discovered by Steven Seeley (@mr_me) of Source Incite in the DownloadServlet class. According to the Source Incite advisory, the issue results from the lack of proper validation of a user-supplied string before using it to read a file. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Note that authentication is required.
This vulnerability is also known as CVE-2019-2557.
The following is the exact setup I used to test and analyze the vulnerability:
For installation instructions, please refer to the Oracle Application Testing Suite Installation Guide.
Oats is designed for internal unit testing, theres no reason this should ever be exposed online. This is more for internal engagements and/or pivoting after getting a foothold from remote type of thing. I will quote Oracle: