Hacktics Research Group Security Advisory
http://www.hacktics.com/#view=Resources%7CAdvisory

By Gil Cohen, Hacktics.
9-Feb-2010

===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in an Oracle E-Business Suite deployment.
Further research has identified that a web interface showing user errors are
vulnerable to reflected cross site scripting attacks. 

A friendly formatted version of this advisory is available in:
   http://www.hacktics.com/content/advisories/AdvORA20100209.html

===============
II. The Finding
===============
The XSS vulnerability appears in the error details page,
OAErrorDetailPage.jsp when the server is in diagnostics mode, and requires
an additional preliminary step to invoke. When an application error occurs,
the application presents a general error message with a link to the detailed
error page. The detailed error page is vulnerable to scripting attacks
embedded in input sent to the page that caused the error. An attacker can
exploit this by sending users or administrators a malicious link that causes
an error and contains a malicious script, and urges them to navigate to the
details page causing the malicious script to be executed. 

Hacktics' research classifies the risk of the vulnerability as Low, due to
the combination of the non default diagnostic mode, and the complex
invocation scenario, which reduce the probability of successfully exploiting
this vulnerability.

============
III. Details
============
The XSS vulnerability requires that an error is raised first, through
OA.jsp. The page that receives the malicious script and raises the error
resides at the following address:

http://foo.bar:fooport/OA_HTML/OA.jsp?page=/oracle/apps/fnd/framework/naviga
te/webui/HomePG&homePage=aaaa'a&OAPB=bbbb'b&transactionid=malicious_script

The application then displays a general error message with a link to a more
detailed error page (OAErrorDetailPage.jsp). When the user navigates to the
vulnerable error details page, the script executes:

http://foo.bar:fooport/OA_HTML/OAErrorDetailPage.jsp

===========
IV. Exploit
===========
The exploit is performed by replacing malicious_script with the relevant
Javascript payload. 

===================
V. Affected Systems
===================
The vulnerability was identified in version 12.1.1.

==============================
VI. Vendor's Response/Solution
==============================
Oracle's security alerts group has been notified of this vulnerability in
early November 2009. 
The vulnerability has been acknowledged by Oracle, and has already been
fixed in the Jul-2009 CPU:
 
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
ul2009.html

Oracle has also pointed out that this vulnerability is only applicable when
the system is in diagnostics mode. Customers are recommended to avoid
running their systems in diagnostics mode while in production.

===========
VII. Credit
===========
The vulnerability was discovered by Gil Cohen from Hacktics Ltd.


---
Ofer Maor
CTO, Hacktics
Chairman, OWASP Israel

Web: www.hacktics.com