Oracle Application Express Cross Site Scripting Vulnerability

title: Permanent Cross-Site Scripting
product: Oracle Application Express
vulnerable version: All versions prior to 4.2.3.00.08
fixed version: 4.2.3.00.08
CVE number: CVE-2015-2655
impact: high
homepage: https://apex.oracle.com/i/index.html
found: 2014-05-28
by: F. Lukavsky
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com
=======================================================================

Vendor description:
- -------------------
"Oracle Application Express (Oracle APEX) is Oracle's primary tool for
developing Web applications with SQL and PL/SQL. Using only a web browser, you
can develop and deploy professional Web-based applications for desktops and
mobile devices. It is a fully supported, no cost option of the Oracle
Database, and is installed by default in all editions of the Oracle Database.
Even those without SQL and PL/SQL knowledge, can still easily install the many
built-in packaged applications, such as Survey Builder, Customer Tracker, and
P-Track (for tracking projects)."

http://www.oracle.com/technetwork/developer-tools/apex/overview/index.html


Vulnerability overview/description:
- -----------------------------------
The gReport Controls Sort Widget is prone to permanent Cross-Site Scripting.
The setting "display as" of the column attributes is ignored for the filter
list.


Proof of concept:
- -----------------
Adding the following field to a table will cause an alertbox to display the
currently set cookies as soon as the sort options are selected for the column:

xss-entry<img src=x onerror=alert(document.cookie)>


Vulnerable / tested versions:
- -----------------------------
All versions prior to 4.2.3.00.08


Vendor contact timeline:
- ------------------------
2014-08-13: Contacting vendor through [email protected]
2014-08-14: Vendor response - vulnerbility will be investigated
2014-08-15: Vendor response - issue will be tracked as S0484336
2014-08-22: Status update: Under investigation / Being fixed in main codeline
2014-09-24: Status update: Issue fixed in main codeline, scheduled for a future CPU
2014-10-24: Status update: Issue fixed in main codeline, scheduled for a future CPU
2014-11-24: Status update: Issue fixed in main codeline, scheduled for a future CPU
2014-12-24: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-01-24: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-02-25: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-03-25: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-04-25: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-05-23: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-06-25: Status update: Issue fixed in main codeline, scheduled for a future CPU
2015-07-11: Issue is fixed in upcoming CPU, patches will be released on 2015-07-14
2015-07-16: Coordinated release of the security advisory


Solution:
- ---------
Upgrade to Oracle Application Express 4.2.3.00.08.


Workaround:
- -----------
Refrain from using the gReport Controls Sort Widget.

#  0day.today [2018-01-02]  #