Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Configurator Filtering Holes Let Remote Users Conduct Cross-Site Scripting Attacks Against Configurator Users to Obtain Sensitive Information
|
|
SecurityTracker Alert ID: 1003967
|
|
SecurityTracker URL: http://securitytracker.com/id?1003967
|
|
CVE Reference: CVE-2002-1639
, CVE-2002-1640
(Links to External Site)
|
Updated: May 22 2008
|
Original Entry Date: Apr 4 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 11i Patches
|
Description: Oracle has reported a security vulnerability in the Orcale Configurator. A remote user can conduct cross-site scripting attacks against Configurator users.
A remote user can reportedly conduct cross-site scripting attacks against Oracle Configurator users that implement the DHMTL UI and
Text Features on Internet applications.
It is also reported that a remote user can supply HTML code containing javascript to
certain text input boxes of the Configurator so that when other Configurator users view the page, the user-supplied code will be
executed in the victim's browser. The code will reportedly be able to access any information on the page.
According to the report,
a remote user can also supply a specially crafted URL with an invalid string for the ?test parameter of the oracle.apps.cz.servlet.UiServlet
to cause the servlet to render a page that displays the user-supplied argument.
A remote user can also retrieve version and host
information from the oracle.apps.cz.servlet.UiServlet by passing a 'test=version' argument or 'test=host' argument to the servlet.
|
Impact: A remote user can conduct cross-site scripting attacks to cause arbitrary code to be executed on a Configurator user's browser to obtain sensitive information from Configurator pages.
|
Solution: The vendor has released patches to correct the flaws.
Apply the appropriate patch for your version of Oracle Configurator and
then add the following line to your jserv.properties file:
oracle.apps.cz.uiservlet.versionFuncsAvail=false
These potential
vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and 16.53.
Patchset H and later
Patchset
G, Build Number 11.5.7.17.32, ARU 2264442, Developer ARU 2257907
Patchset F, Build Number 11.5.6.16.53, ARU 2279864, Developer
ARU 2237471
The vendor has provided the following workaround for the Text Features and DHTML UI vulnerability:
"Customers
must remove all Text Features from their UIs. If this workaround is not feasible, because the Text Features are required, customers
can write validation Functional Companions that examine the user input value for each text feature. Customers can then either reject
input with HTML tags, or quote the input text so that the browser will not render the HTML tags when the value is displayed in the
browser."
|
Vendor URL: otn.oracle.com/deploy/security/htdocs/oconfigvul.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 03 Apr 2002 22:57:42 -0500
Subject: Oracle Security Alert #31
|
http://otn.oracle.com/deploy/security/htdocs/oconfigvul.html
Oracle Security Alert #31
Dated: 1 April 2002
Oracle Configurator Security Issue: Potential Cross-site Scripting
Attacks
Customers Affected
Customers who use the Oracle Configurator on the Internet and who use
Text Features and the DHTML UI need to read this alert and implement the
workaround or apply the patch. Customers who use Oracle Configurator on
the Internet, but do not use Text Features and the DHTML UI, should read
this alert, but it is likely they will not have to take any action. All
other customers do not need to read this alert.
Versions Affected
All Oracle Configurator released 11i patches. These potential
vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and
16.53. All previous versions have the potential described in this alert.
Platforms Affected
All Supported Platforms
Description
Oracle Configurator has been found vulnerable to potential cross-site
scripting attacks. These generic type of attacks are described in a CERT
advisory, at http://www.cert.org/advisories/CA-2000-02.html. Oracle
strongly encourages all customers deploying Internet applications with
Oracle Configurator to read and understand this advisory.
The following potential vulnerabilities were identified in Oracle
Configurator. Each of these potential vulnerabilities is fixed by a
patch to Oracle Configurator.
1.Vulnerability to cross-site scripting attacks in text input boxes.
Configurator customers who use Text Features and the DHTML UI, and who
display Text Features in their UI, are vulnerable to cross-site
scripting attacks. If the end user of a DHTML UI were to type in html
tags that ran javascript or launched an applet, this code would have
access to the entire page. If you are not using Text Features, you need
not worry about this vulnerability.
2.Vulnerability to cross-site scripting attacks when using the test
parameter to the oracle.apps.cz.servlet.UiServlet servlet. If you pass a
string that is not a recognized argument to the ?test parameter, the
servlet returns a page with the argument rendered on the page.
3.Vulnerability to retrieving version and host information from
oracle.apps.cz.servlet.UiServlet. If you pass a test=version argument to
the servlet, it returns build and schema information. If you pass a
test=host argument, the servlet returns the hostname and port that the
web server is running on. Both of these potential vulnerabilities are
fixed in the patches described below. Furthermore, for this fix to be
active, you must add the following line to your jserv.properties file:
oracle.apps.cz.uiservlet.versionFuncsAvail=false
Likelihood of Occurrence
Oracle Configurator customers who use the DHMTL UI and Text Features on
Internet applications must either implement the workarounds or install
the patch to preserve the security of data entered into Oracle
Configurator. Customers who do not use Text Features in the DHTML UI or
who do not deploy these applications over the Internet need not apply
this patch or implement the workarounds.
Solution
Apply the patch that is appropriate for your version of Oracle
Configurator, and then add the following line to your jserv.properties
file:
oracle.apps.cz.uiservlet.versionFuncsAvail=false
Patches
Branch
Build Number
ARU Number
Developer ARU Number
Patchset H and later
Fixed in the base release
Not needed
Not needed
Patchset G
11.5.7.17.32
2264442
2257907
Patchset F
11.5.6.16.53
2279864
2237471
Other
Not available,
please contact
support
Workarounds
Workarounds are available only for the Text Features and DHTML UI
potential vulnerability.
Customers must remove all Text Features from their UIs. If this
workaround is not feasible, because the Text Features are required,
customers can write validation Functional Companions that examine the
user input value for each text feature. Customers can then either
reject input with HTML tags, or quote the input text so that the browser
will not render the HTML tags when the value is displayed in the
browser.
|
|
Go to the Top of This SecurityTracker Archive Page
|
