SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Configurator Vendors:   Oracle
Oracle Configurator Filtering Holes Let Remote Users Conduct Cross-Site Scripting Attacks Against Configurator Users to Obtain Sensitive Information
SecurityTracker Alert ID:  1003967
SecurityTracker URL:  http://securitytracker.com/id/1003967
CVE Reference:   CVE-2002-1639, CVE-2002-1640   (Links to External Site)
Updated:  May 22 2008
Original Entry Date:  Apr 4 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 11i Patches
Description:   Oracle has reported a security vulnerability in the Orcale Configurator. A remote user can conduct cross-site scripting attacks against Configurator users.

A remote user can reportedly conduct cross-site scripting attacks against Oracle Configurator users that implement the DHMTL UI and Text Features on Internet applications.

It is also reported that a remote user can supply HTML code containing javascript to certain text input boxes of the Configurator so that when other Configurator users view the page, the user-supplied code will be executed in the victim's browser. The code will reportedly be able to access any information on the page.

According to the report, a remote user can also supply a specially crafted URL with an invalid string for the ?test parameter of the oracle.apps.cz.servlet.UiServlet to cause the servlet to render a page that displays the user-supplied argument.

A remote user can also retrieve version and host information from the oracle.apps.cz.servlet.UiServlet by passing a 'test=version' argument or 'test=host' argument to the servlet.

Impact:   A remote user can conduct cross-site scripting attacks to cause arbitrary code to be executed on a Configurator user's browser to obtain sensitive information from Configurator pages.
Solution:   The vendor has released patches to correct the flaws.

Apply the appropriate patch for your version of Oracle Configurator and then add the following line to your jserv.properties file:

oracle.apps.cz.uiservlet.versionFuncsAvail=false

These potential vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and 16.53.

Patchset H and later
Patchset G, Build Number 11.5.7.17.32, ARU 2264442, Developer ARU 2257907
Patchset F, Build Number 11.5.6.16.53, ARU 2279864, Developer ARU 2237471

The vendor has provided the following workaround for the Text Features and DHTML UI vulnerability:

"Customers must remove all Text Features from their UIs. If this workaround is not feasible, because the Text Features are required, customers can write validation Functional Companions that examine the user input value for each text feature. Customers can then either reject input with HTML tags, or quote the input text so that the browser will not render the HTML tags when the value is displayed in the browser."

Vendor URL:  otn.oracle.com/deploy/security/htdocs/oconfigvul.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Oracle Security Alert #31


http://otn.oracle.com/deploy/security/htdocs/oconfigvul.html

Oracle Security Alert #31 
Dated: 1 April 2002 

Oracle Configurator Security Issue: Potential Cross-site Scripting
Attacks 

Customers Affected 

Customers who use the Oracle Configurator on the Internet and who use
Text Features and the DHTML UI need to read this alert and implement the
workaround or apply the patch. Customers who use Oracle Configurator on
the Internet, but do not use Text Features and the DHTML UI, should read
this alert, but it is likely they will not have to take any action. All
other customers do not need to read this alert. 

Versions Affected 

All Oracle Configurator released 11i patches. These potential
vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and
16.53. All previous versions have the potential described in this alert. 

Platforms Affected 

All Supported Platforms 

Description 

Oracle Configurator has been found vulnerable to potential cross-site
scripting attacks. These generic type of attacks are described in a CERT
advisory, at http://www.cert.org/advisories/CA-2000-02.html. Oracle
strongly encourages all customers deploying Internet applications with
Oracle Configurator to read and understand this advisory. 

The following potential vulnerabilities were identified in Oracle
Configurator. Each of these potential vulnerabilities is fixed by a
patch to Oracle Configurator. 

  1.Vulnerability to cross-site scripting attacks in text input boxes.
Configurator customers who use Text Features and the DHTML UI, and who
display Text Features in their UI, are vulnerable to cross-site
scripting attacks. If the end user of a DHTML UI were to type in html
tags that ran javascript or launched an applet, this code would have
access to the entire page. If you are not using Text Features, you need
not worry about this vulnerability. 
  2.Vulnerability to cross-site scripting attacks when using the test
parameter to the oracle.apps.cz.servlet.UiServlet servlet. If you pass a
string that is not a recognized argument to the ?test parameter, the
servlet returns a page with the argument rendered on the page. 
  3.Vulnerability to retrieving version and host information from
oracle.apps.cz.servlet.UiServlet. If you pass a test=version argument to
the servlet, it returns build and schema information. If you pass a
test=host argument, the servlet returns the hostname and port that the
web server is running on. Both of these potential vulnerabilities are
fixed in the patches described below. Furthermore, for this fix to be
active, you must add the following line to your jserv.properties file: 

          oracle.apps.cz.uiservlet.versionFuncsAvail=false

Likelihood of Occurrence 

Oracle Configurator customers who use the DHMTL UI and Text Features on
Internet applications must either implement the workarounds or install
the patch to preserve the security of data entered into Oracle
Configurator. Customers who do not use Text Features in the DHTML UI or
who do not deploy these applications over the Internet need not apply
this patch or implement the workarounds. 

Solution 

Apply the patch that is appropriate for your version of Oracle
Configurator, and then add the following line to your jserv.properties
file: 

oracle.apps.cz.uiservlet.versionFuncsAvail=false 
  
  

Patches 
  
 Branch
       Build Number
             ARU Number
        Developer ARU Number
 Patchset H and later
       Fixed in the base release
             Not needed
        Not needed
 Patchset G
       11.5.7.17.32
              2264442
        2257907
 Patchset F
       11.5.6.16.53
             2279864
        2237471
 Other
        
             Not available,
             please contact
             support
         


  

Workarounds 

Workarounds are available only for the Text Features and DHTML UI
potential vulnerability. 

Customers must remove all Text Features from their UIs. If this
workaround is not feasible, because the Text Features are required,
customers can write validation Functional Companions that examine the
user input value for each text feature.  Customers can then either
reject input with HTML tags, or quote the input text so that the browser
will not render the HTML tags when the value is displayed in the
browser.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC