Reporter Nahuel Grisolia
`Advisory Name: Reflected Cross-Site Scripting (XSS) in OracleJSP Demos
Internal Cybsec Advisory Id: 2011-0403- Reflected Cross-Site Scripting (XSS) in OracleJSP Demos
Vulnerability Class: Reflected Cross-Site Scripting (XSS)
Release Date: April 20, 2011
Affected Applications: Confirmed in OracleJSP 220.127.116.11.0 with iAS v18.104.22.168. Other versions may also be affected
Affected Platforms: Any running OracleJSP Demos
Local / Remote: Remote
Severity: Medium - CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Researcher: Nahuel Grisolia
Vendor Status: Patched
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
A reflected Cross Site Scripting vulnerability was found in OracleJSP 22.214.171.124.0 Demos with iAS v126.96.36.199, because scripts fail to sanitize user-supplied input. The vulnerability can be triggered by any user who is able access those Demos.
http://171.XXX.XX.64/demo/ojspext/jmltype/index.jsp, in field "String Test"
An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application.
Solution: Install Oracle Critical Patch Update (CPU) - April 2011.
Feb 4, 2010 - Vendor contacted.
Feb 5, 2010 - Vendor asks for mor detailed information, which is provided by Cybsec.
Feb 8, 2010 - Vendor acknowledges vulnerability and assigns internal tracking ID "12907193".
Apr 15, 2011 - Vendor informs vulnerability will be fixed in upcoming Critical Patch Update.
Apr 18, 2011 - Vendor informs that the vulnerability is fixed in the upcoming Critical Patch Update (CPU) due to be released on April 19, 2011.
Apr 19, 2011 - Vendor publishes CPU.
Apr 20. 2011 - Cybsec Publishes Vulnerability.
For more information regarding the vulnerability feel free to contact Cybsec Labs at
cybseclabs <at> cybsec <dot> com
About CYBSEC S.A. Security Systems
Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services specialized in Computer Security. More than 150 clients around the globe validate our quality and professionalism.
To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies.
Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable.
Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange.
For more information, please visit www.cybsec.com
(c) 2011 - CYBSEC S.A. Security Systems