============================================= INTERNET SECURITY AUDITORS ALERT 2010-007 - Original release date: August 11th, 2010 - Last revised: May 1st, 2011 - Discovered by: Vicente Aguilera Diaz - Severity: 5.0/10 (CVSS Base Scored) ============================================= I. VULNERABILITY ------------------------- XSS in Oracle Portal Database Access Descriptor II. BACKGROUND ------------------------- Oracle AS Portal is a Web-based application for building and deploying portals. It provides a secure, manageable environment for accessing and interacting with enterprise software services and information resources. III. DESCRIPTION ------------------------- Has been detected a reflected XSS vulnerability in Oracle Application Server, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the DAD name. A DAD (Database Access Descriptor) is a set of values that specifies how a database server should fulfill a HTTP request. IV. PROOF OF CONCEPT ------------------------- Original request: http:///portal/pls/ Malicious request: http:///portal/pls/ Example 1: http:///portal/pls/"

XSS vulnerability/portal/pls/"