----------------------------------------------------------------------
SNS Advisory No.84
Oracle Application Server HTTP Response Splitting Vulnerability

Problem first discovered on: Tue, 01 Feb 2005
Published on: Tue, 21 Oct 2005
----------------------------------------------------------------------

Severity Level:
---------------
  Medium


Overview:
---------
  Oracle Application Server has vulnerabilities of HTTP Response Splitting. 
  This makes possible to represent an unreal content as if it is real or
  to cause Cross Site Scripting attacks.


Problem Description:
--------------------
  Oracle Application Server has Session URL Rewriting function, which can embed 
  and specify session management parameters in URL. 

  In Session URL Rewriting function, the server does not sanitize Special
  character appropriately when resetting the specified session
  management parameters as Cookie. 

  Therefore, arbitrary HTTP header or content can be outputted as the
  response when specifying session management parameters including
  arbitrary content prefixed with a linefeed code.

  In the result, representing unreal content as if it is real or causing 
  Cross Site Scripting attacks can be possible. And this might be
  exploited for Phishing Fraud, Session Hijack, and so on.


Tested Versions:
----------------
  Oracle9i Application Server Release 2 (9.0.2.3)
  Oracle Application Server 10g Release 1 (9.0.4.2)
  Oracle Application Server 10g Release 2 (10.1.2.0)


Solution:
---------
  Apply Critical Patch Update - October 2005
  http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html


Discovered by:
--------------
  Keigo Yamazaki (LAC) 


Disclaimer:
-----------
  The information contained in this advisory may be revised without prior
  notice and is provided as it is. Users shall take their own risk when
  taking any actions following reading this advisory. LAC Co., Ltd.
  shall take no responsibility for any problems, loss or damage caused
  by, or by the use of information provided here.

  This advisory can be found at the following URL:
  http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/84_e.html
----------------------------------------------------------------------