Oracle Configurator Filtering Holes Let Remote Users Conduct Cross-Site Scripting Attacks Against Configurator Users to Obtain Sensitive Information
SecurityTracker Alert ID: 1003967|
SecurityTracker URL: http://securitytracker.com/id/1003967
(Links to External Site)
Updated: May 22 2008|
Original Entry Date: Apr 4 2002
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 11i Patches|
Oracle has reported a security vulnerability in the Orcale Configurator. A remote user can conduct cross-site scripting attacks against Configurator users.|
A remote user can reportedly conduct cross-site scripting attacks against Oracle Configurator users that implement the DHMTL UI and Text Features on Internet applications.
According to the report, a remote user can also supply a specially crafted URL with an invalid string for the ?test parameter of the oracle.apps.cz.servlet.UiServlet to cause the servlet to render a page that displays the user-supplied argument.
A remote user can also retrieve version and host information from the oracle.apps.cz.servlet.UiServlet by passing a 'test=version' argument or 'test=host' argument to the servlet.
A remote user can conduct cross-site scripting attacks to cause arbitrary code to be executed on a Configurator user's browser to obtain sensitive information from Configurator pages.|
The vendor has released patches to correct the flaws.|
Apply the appropriate patch for your version of Oracle Configurator and then add the following line to your jserv.properties file:
These potential vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and 16.53.
Patchset H and later
Patchset G, Build Number 18.104.22.168.32, ARU 2264442, Developer ARU 2257907
Patchset F, Build Number 22.214.171.124.53, ARU 2279864, Developer ARU 2237471
The vendor has provided the following workaround for the Text Features and DHTML UI vulnerability:
"Customers must remove all Text Features from their UIs. If this workaround is not feasible, because the Text Features are required, customers can write validation Functional Companions that examine the user input value for each text feature. Customers can then either reject input with HTML tags, or quote the input text so that the browser will not render the HTML tags when the value is displayed in the browser."
Vendor URL: otn.oracle.com/deploy/security/htdocs/oconfigvul.html (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)|
Source Message Contents
Subject: Oracle Security Alert #31|
Oracle Security Alert #31
Dated: 1 April 2002
Oracle Configurator Security Issue: Potential Cross-site Scripting
Customers who use the Oracle Configurator on the Internet and who use
Text Features and the DHTML UI need to read this alert and implement the
workaround or apply the patch. Customers who use Oracle Configurator on
the Internet, but do not use Text Features and the DHTML UI, should read
this alert, but it is likely they will not have to take any action. All
other customers do not need to read this alert.
All Oracle Configurator released 11i patches. These potential
vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and
16.53. All previous versions have the potential described in this alert.
All Supported Platforms
Oracle Configurator has been found vulnerable to potential cross-site
scripting attacks. These generic type of attacks are described in a CERT
advisory, at http://www.cert.org/advisories/CA-2000-02.html. Oracle
strongly encourages all customers deploying Internet applications with
Oracle Configurator to read and understand this advisory.
The following potential vulnerabilities were identified in Oracle
Configurator. Each of these potential vulnerabilities is fixed by a
patch to Oracle Configurator.
1.Vulnerability to cross-site scripting attacks in text input boxes.
Configurator customers who use Text Features and the DHTML UI, and who
display Text Features in their UI, are vulnerable to cross-site
scripting attacks. If the end user of a DHTML UI were to type in html
access to the entire page. If you are not using Text Features, you need
not worry about this vulnerability.
2.Vulnerability to cross-site scripting attacks when using the test
parameter to the oracle.apps.cz.servlet.UiServlet servlet. If you pass a
string that is not a recognized argument to the ?test parameter, the
servlet returns a page with the argument rendered on the page.
3.Vulnerability to retrieving version and host information from
oracle.apps.cz.servlet.UiServlet. If you pass a test=version argument to
the servlet, it returns build and schema information. If you pass a
test=host argument, the servlet returns the hostname and port that the
web server is running on. Both of these potential vulnerabilities are
fixed in the patches described below. Furthermore, for this fix to be
active, you must add the following line to your jserv.properties file:
Likelihood of Occurrence
Oracle Configurator customers who use the DHMTL UI and Text Features on
Internet applications must either implement the workarounds or install
the patch to preserve the security of data entered into Oracle
Configurator. Customers who do not use Text Features in the DHTML UI or
who do not deploy these applications over the Internet need not apply
this patch or implement the workarounds.
Apply the patch that is appropriate for your version of Oracle
Configurator, and then add the following line to your jserv.properties
Developer ARU Number
Patchset H and later
Fixed in the base release
Workarounds are available only for the Text Features and DHTML UI
Customers must remove all Text Features from their UIs. If this
workaround is not feasible, because the Text Features are required,
customers can write validation Functional Companions that examine the
user input value for each text feature. Customers can then either
reject input with HTML tags, or quote the input text so that the browser
will not render the HTML tags when the value is displayed in the
Go to the Top of This SecurityTracker Archive Page