lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000c01c6f6c2$6ee55750$1b02a8c0@rds.local>
Date: Mon, 23 Oct 2006 18:43:54 +0200
From: "Alexander Kornbrust" <ak@...-database-security.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Cross-Site-Scripting Vulnerabilitiy in Oracle
	APEX NOTIFICATION_MSG

Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG

Name 	      Cross-Site-Scripting Vulnerabilitiy in Oracle APEX
NOTIFICATION_MSG
Systems Affected 	Oracle APEX/HTMLDB
Severity 	Medium Risk
Category 	Cross Site Scripting (XSS/CSS)
Vendor URL 	http://www.oracle.com/
Author 	Alexander Kornbrust (ak at red-database-security.com)
Date 	      18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_apex_css_notification_m
sg.html

Details
#######
The parameter NOTIFCATION_MSG parameter contains a cross site scripting
vulnerability.

Affected Products
#################
Oracle APEX/HTMLDB < 2.2.1


Patch Information
#################
This bug is fixed with the patch 2.2.1 of APEX which is not part of the
Critical Patch Update October 2006. It's necessary to upgrade your
APEX/HTMLDB installation to 2.2.1. Patches are currently not available for
Oracle Application Express.



History
#######
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006
18-oct-2006 Red-Database-Security published this advisory



Additional Information
######################
An analysis of the Oracle CPU Oct 2006 is available here
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ