Hacktics Advisory Feb09: XSS in Oracle E-Business Suite


Hacktics Research Group Security Advisory http://www.hacktics.com/#view=Resources%7CAdvisory By Gil Cohen, Hacktics. 9-Feb-2010 =========== I. Overview =========== During a penetration test performed by Hacktics' experts, certain vulnerabilities were identified in an Oracle E-Business Suite deployment. Further research has identified that a web interface showing user errors are vulnerable to reflected cross site scripting attacks. A friendly formatted version of this advisory is available in: http://www.hacktics.com/content/advisories/AdvORA20100209.html =============== II. The Finding =============== The XSS vulnerability appears in the error details page, OAErrorDetailPage.jsp when the server is in diagnostics mode, and requires an additional preliminary step to invoke. When an application error occurs, the application presents a general error message with a link to the detailed error page. The detailed error page is vulnerable to scripting attacks embedded in input sent to the page that caused the error. An attacker can exploit this by sending users or administrators a malicious link that causes an error and contains a malicious script, and urges them to navigate to the details page causing the malicious script to be executed. Hacktics' research classifies the risk of the vulnerability as Low, due to the combination of the non default diagnostic mode, and the complex invocation scenario, which reduce the probability of successfully exploiting this vulnerability. ============ III. Details ============ The XSS vulnerability requires that an error is raised first, through OA.jsp. The page that receives the malicious script and raises the error resides at the following address: http://foo.bar:fooport/OA_HTML/OA.jsp?page=/oracle/apps/fnd/framework/naviga te/webui/HomePG&homePage=aaaa'a&OAPB=bbbb'b&transactionid=malicious_script The application then displays a general error message with a link to a more detailed error page (OAErrorDetailPage.jsp). When the user navigates to the vulnerable error details page, the script executes: http://foo.bar:fooport/OA_HTML/OAErrorDetailPage.jsp =========== IV. Exploit =========== The exploit is performed by replacing malicious_script with the relevant Javascript payload. =================== V. Affected Systems =================== The vulnerability was identified in version 12.1.1. ============================== VI. Vendor's Response/Solution ============================== Oracle's security alerts group has been notified of this vulnerability in early November 2009. The vulnerability has been acknowledged by Oracle, and has already been fixed in the Jul-2009 CPU: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj ul2009.html Oracle has also pointed out that this vulnerability is only applicable when the system is in diagnostics mode. Customers are recommended to avoid running their systems in diagnostics mode while in production. =========== VII. Credit =========== The vulnerability was discovered by Gil Cohen from Hacktics Ltd. --- Ofer Maor CTO, Hacktics Chairman, OWASP Israel Web: www.hacktics.com