This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_lexx-14336-1135326200-0001-2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

SEC Consult Security Advisory < 20051223-0 >
========================================================================
             title: < Multiple Cross Site Scripting Vulnerabilities
                      in OracleAS Discussion Forum Portlet >
           program: < OracleAS Discussion Forum Portlet >
vulnerable version: < Version of May 2005 >
          homepage: < http://www.oracle.com >
             found: < 2005-09-16 >
                by: < Johannes Greil > SEC Consult / www.sec-consult.com
========================================================================


vendor description:
-------------------
Oracle's business is information - how to manage it, use it, share it,
protect it. For nearly three decades, Oracle, the world's largest
enterprise software company, has provided the software and services that
let organizations get the most up-to-date and accurate information from
their business systems.
[www.oracle.com]


vulnerability overview:
-----------------------

The discussion forum portlet suffers from multiple Cross Site Scripting
vulnerabilities. E.g. it is possible to create relogin trojans, steal
session cookies, alter the content of the site or hide articles which
don't show up in the overview page.

1) The URL parameter "RowKeyValue" is not properly validated and is
prone to Cross Site Scripting. It gets a problem if one can trick a user
to click a malicious link.

2) A more severe Cross Site Scripting problem exists in all input fields
of the forum when posting an article. Those fields aren't filtered at
all and it is possible to insert malicious code.


proof of concept:
-----------------
1) By requesting the forum URL and adding scripting code to the
"RowKeyValue" parameter it is possible to trigger a temporary XSS bug
via a URL.

e.g.
http://$host/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL&
df_next_page=htdocs/forums.jsp&
RowKeyValue=<script>alert(document.cookie)</script>

2) It is possible to launch a permanent XSS attack by storing the
scripting code in a forum article. A regular user only needs to view
such an article to have her/his account data stolen without
any other interaction. If an attacker hides the article via
specially crafted title content, only viewing the overview page is
enough to execute malicious code.

e.g. add scripting code in title or content input field of an article:
<script>document.write(document.cookie)</script>


vulnerable versions:
--------------------

Version of May 2005
http://www.oracle.com/technology/products/ias/portal/point_downloads.html#forum


vendor status:
--------------
vendor notified: 2005-09-26
vendor response: 2005-09-27
patch available: -

The first response from Oracle was on 27th September (assigning bug
numbers) with a more detailed answer on 28th September. They explicitly
said that the forum is sample code and shouldn't be used in a production
environment although it can be found in such installations.

The last email from Oracle was on 21st October saying that they will fix
it "hopefully within the next 4 weeks". Asking them for a status update
at the beginning of December and another email on 19th December didn't
trigger any responses hence this advisory is being released.


solution:
---------

Only use the forum portlet in test installations and not in a production
environment.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
< Johannes Greil > SEC Consult / www.sec-consult.com
SGT ::: < tke, mei, bmu, dfa > :::

--=_lexx-14336-1135326200-0001-2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNzCC
AvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwODAyMTIzMTEwWhcNMDYwODAyMTIzMTEw
WjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm9oYW5uZXMxFzAVBgNVBAMTDkpvaGFu
bmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZWlsQHNlYy1jb25zdWx0LmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAOvtJoQsA4wlIE1G49hqS9Icb4f9JmbM
+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAvaF7n4AZo
KvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8VmE88gCpVDx2SPXIgpBXyjx4hOqhvEnV
ORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQMM67HXM9Hz3mL01SnOF1mGt9EE6vufe
B7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkNUCa/IJsbPIM8p9w4y6grHosunl0IXU
YOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBBswGYEXai5ncmVpbEBzZWMtY29uc3Vs
dC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfOMcr+1auf
H3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwXV2E+DqX2
cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BOi+0CM7vE
wqztVzCCAvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwODAyMTIzMTEwWhcNMDYwODAy
MTIzMTEwWjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm9oYW5uZXMxFzAVBgNVBAMT
DkpvaGFubmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZWlsQHNlYy1jb25zdWx0LmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAOvtJoQsA4wlIE1G49hqS9Ic
b4f9JmbM+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAv
aF7n4AZoKvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8VmE88gCpVDx2SPXIgpBXyjx4
hOqhvEnVORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQMM67HXM9Hz3mL01SnOF1mGt
9EE6vufeB7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkNUCa/IJsbPIM8p9w4y6grHo
sunl0IXUYOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBBswGYEXai5ncmVpbEBzZWMt
Y29uc3VsdC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfO
Mcr+1aufH3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwX
V2E+DqX2cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BO
i+0CM7vEwqztVzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBa
Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRw
nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn
8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJg
t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJ
KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A
9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH
1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDzw3MAkGBSsOAwIa
BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MTIy
MzA4MjMwOVowIwYJKoZIhvcNAQkEMRYEFItouigkelFL3vuG5qCH43JncNxzMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMPPDcwegYLKoZIhvcNAQkQAgsxa6Bp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDzw3MA0G
CSqGSIb3DQEBAQUABIIBAA/UiOpEimyY1+/u1nS0nT/CbQFZZQtmcJQQHwJjIR0zkBW+Q8qI
sIus59ZqAJN77RmkVK6nfj4pUaqjdLLRcC2yYTyFORzWgn0z58oiDWSlLjLCf1//7I+ClpXd
ehhmu+62psUc8HOh7D8wGnGFDiZLZ/1LJ4zdkqS2O8yxt+/Lqlatmlu7rGJ3B5ClkpfcwYKy
skSgC/QqtjP5SQJVwEhC22r5iRlqjk/xqnUOcAeVE4lEthtVBLFDKHb690uCVJYjmtR89hrd
K4V02SQb60anaRVXmrpTyK54xoxVCHNUhp5HI3qLVznKHBVGvVP4/00DQ23J0vM/79Cby1pb
jhsAAAAAAAA=
--=_lexx-14336-1135326200-0001-2--