Application Security Resources

Sub Text of Application Security Resources

Cross Site Scripting in Oracle E-Business Suite

February 8, 2010

Tiny Url for this post: http://tinyurl.com/p2zsveb

Hacktics Research
By Gil Coehn February 9th, 2010

Overview

During a penetration test performed by Hacktics’ experts, certain vulnerabilities were identified in an Oracle E-Business Suite deployment. Further research has identified that a web interface showing user errors is vulnerable to reflected cross site scripting attacks.

The Finding

The XSS vulnerability appears in the error details page, OAErrorDetailPage.jsp when the server is in diagnostics mode, and requires an additional preliminary step to invoke. When an application error occurs, the application presents a general error message with a link to the detailed error page. The detailed error page is vulnerable to scripting attacks embedded in input sent to the page that caused the error. An attacker can exploit this by sending users or administrators a malicious link that causes an error and contains a malicious script, and urges them to navigate to the details page causing the malicious script to be executed.

Hacktics’ research classifies the risk of the vulnerability as Low, due to the combination of the non default diagnostic mode, and the complex invocation scenario, which reduce the probability of successfully exploiting this vulnerability.

 

Details

The XSS vulnerability requires that an error is raised first, through OA.jsp. The page that receives the malicious script and raises the error resides at the following address:
http://foo.bar:fooport/OA_HTML/OA.jsp?page=/oracle/apps/fnd/framework/navigate/webui/HomePG&homePage=aaaa’a&OAPB=bbbb’b&transactionid=malicious_script

The application then displays a general error message with a link to a more detailed error page (OAErrorDetailPage.jsp). When the user navigates to the vulnerable error details page, the script executes:
http://foo.bar:fooport/OA_HTML/OAErrorDetailPage.jsp

Exploit

The exploit is performed by replacing malicious_script with the relevant Javascript payload.

Vendor’s Response/Solution

Oracle’s security alerts group has been notified of this vulnerability in early November 2009.
The vulnerability has been acknowledged by Oracle, and has already been fixed in the Jul-2009 CPU:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Oracle has also pointed out that this vulnerability is only applicable when the system is in diagnostics mode. Customers are recommended to avoid running their systems in diagnostics mode while in production.

Affected Systems

The vulnerability was identified in version 12.1.1.

Credit

The vulnerability was discovered by Gil Cohen from Hacktics Ltd.

Copyright Hacktics 2009 All right reserved

This post is also available in: Anglais

Learn more about Seeker

More Avis de sécurité