Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities
BID:12892
Info
Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 12892 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-0873 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 24 2005 12:00AM |
| Updated: | Jul 12 2009 11:56AM |
| Credit: | Paolo Paolo <[email protected]> is credited with the discovery of these issues. |
| Vulnerable: |
Oracle Oracle Reports 10g 9.0.4 .3.3 |
| Not Vulnerable: | |
Discussion
Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities
Multiple remote cross-site scripting vulnerabilities affect Oracle Reports Server. These issues are due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Multiple remote cross-site scripting vulnerabilities affect Oracle Reports Server. These issues are due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities
No exploit is required to leverage these issues. The following proof of concept exploits have been made available:
http://paolo/reports/examples/Tools/test.jsp?repprod&desname='&lt;script&gt;alert(document.cookie);&lt;/script&gt;
http://paolo/reports/examples/Tools/test.jsp?repprod"&lt;script&gt;alert(document.cookie);&lt;/script&gt;
No exploit is required to leverage these issues. The following proof of concept exploits have been made available:
http://paolo/reports/examples/Tools/test.jsp?repprod&desname='&lt;script&gt;alert(document.cookie);&lt;/script&gt;
http://paolo/reports/examples/Tools/test.jsp?repprod"&lt;script&gt;alert(document.cookie);&lt;/script&gt;
Solution / Fix
Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - October 2005) to address these issues. Information regarding obtaining and applying appropriate patches can be found in the referenced Oracle Critical Patch Update.
Pre-installation notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333956.1
Pre-installation notes for Oracle Application Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333959.1
Pre-installation notes for Oracle Collaboration Suite can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333961.1
Pre-installation notes for Oracle E-Business Suite and Applications can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333963.1
Pre-installation notes for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne can be found at the following location:
http://www.peoplesoft.com/corp/en/support/security_index.jsp
A message from "David Litchfield" <[email protected]> is available that states that some of the vulnerabilities in Oracle Critical Patch Update - October 2005 may not have been successfully fixed by Oracle. Users of affected packages should refer to the referenced message, and contact their vendor for further information on the status of fixes.
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - October 2005) to address these issues. Information regarding obtaining and applying appropriate patches can be found in the referenced Oracle Critical Patch Update.
Pre-installation notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333956.1
Pre-installation notes for Oracle Application Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333959.1
Pre-installation notes for Oracle Collaboration Suite can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333961.1
Pre-installation notes for Oracle E-Business Suite and Applications can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333963.1
Pre-installation notes for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne can be found at the following location:
http://www.peoplesoft.com/corp/en/support/security_index.jsp
A message from "David Litchfield" <[email protected]> is available that states that some of the vulnerabilities in Oracle Critical Patch Update - October 2005 may not have been successfully fixed by Oracle. Users of affected packages should refer to the referenced message, and contact their vendor for further information on the status of fixes.
References
Oracle Reports Server 10g Multiple Remote Cross-Site Scripting Vulnerabilities
References:
References:
- Critical Patch Update - October 2005 (Oracle)
- Oracle Reports 10g Home Page (Oracle)
- Oracle Reports Server 10g Vulnerable to XSS (Paolo Paolo
- Revision: Multiple Critical and High Vulnerabilities in Oracle Database Server ("David Litchfield"