Digital Security Research Group [DSecRG] Advisory #DSECRG-09-001
Application: Oracle Application Server (SOA)
Versions Affected: Oracle Application Server (SOA) version
Vendor URL: http://www.oracle.com Bugs: XSS Exploits: YES Reported: 10.01.2008 Vendor response: 11.01.2008 Date of Public Advisory: 13.01.2009 CVE: CVE-2008-4014 Description: XSS IN BPELCONSOLE/DEFAULT/ACTIVITIES.JSP Author: Alexandr Polyakov Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)
Linked XSS vulnerability found in BPEL module of Oracle Application Server (Oracle SOA Suite).
Linked XSS vulnerability found in BPEL module. In page BPELConsole/default/activities.jsp attacker can inject XSS by appending it to URL
Attacker must send injected link to administrator and get adminiatrators cookie.
Code with injected XSS:
</th> <th id="activityLabel" class="ListHeader" align="left" nowrap> <a href='activities.jsp?'><script>alert('DSecRG_XSS')</script>=DSecRG&orderBy=label' class=HeaderLink> Activity Label </a> </th>
Information was published in CPU January 2009. All customers can download CPU petches following instructions from:
Oracle give a credits for Alexander Polyakov from Digital Security Company in CPU January 2009.
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru http://www.dsecrg.ru http://www.dsec.ru