Oracle Portal P_OldURL Parameter Cross-Site Scripting Vulnerability

Bugtraq ID:	22999
Class:	Input Validation Error
CVE:	CVE-2007-1506
Remote:	Yes
Local:	No
Published:	Mar 16 2007 12:00AM
Updated:	May 12 2015 07:33PM
Credit:	d3nx is credited with the discovery of this vulnerability.
Vulnerable:	Oracle Portal 10g
Not Vulnerable:

Oracle Portal P_OldURL Parameter Cross-Site Scripting Vulnerability

Oracle Portal is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Oracle Portal P_OldURL Parameter Cross-Site Scripting Vulnerability

Attackers can use a browser to exploit this issue.

The following proof-of-concept URI is available:

• /data/vulnerabilities/exploits/22999.html

Oracle Portal P_OldURL Parameter Cross-Site Scripting Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Oracle Portal P_OldURL Parameter Cross-Site Scripting Vulnerability

References:

• Oracle Homepage (Oracle)
  
• Oracle Portal PORTAL.wwv_main.render_warning_screen XSS (Sea Shark)