============================================= INTERNET SECURITY AUDITORS ALERT 2010-007 - Original release date: August 11th, 2010 - Last revised: May 1st, 2011 - Discovered by: Vicente Aguilera Diaz - Severity: 5.0/10 (CVSS Base Scored) ============================================= I. VULNERABILITY ------------------------- XSS in Oracle Portal Database Access Descriptor II. BACKGROUND ------------------------- Oracle AS Portal is a Web-based application for building and deploying portals. It provides a secure, manageable environment for accessing and interacting with enterprise software services and information resources. III. DESCRIPTION ------------------------- Has been detected a reflected XSS vulnerability in Oracle Application Server, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the DAD name. A DAD (Database Access Descriptor) is a set of values that specifies how a database server should fulfill a HTTP request. IV. PROOF OF CONCEPT ------------------------- Original request: http://<oracle-application-server>/portal/pls/<DAD> Malicious request: http://<oracle-application-server>/portal/pls/<XSS injection> Example 1: http://<oracle-application-server>/portal/pls/"<H1>XSS vulnerability<XSS In this scenario, the attacker has the difficulty of being unable to close the HTML tag because he's can not add the character "/" as part of the code injection (DAD name). However, it is possible to generate that character without appearing in the injection. Below is an example. Example 2: http://<oracle-application-server>/portal/pls/"<img src="" onmouseover="document.body.innerHTML=String.fromCharCode(60,72,84,77,76,62,60,72,49,62,88,83,83,60,47,72,49,62,32,60,72,50,62,86,85,76,78,60,47,72,50,62);"><XSS V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- Tested in Oracle Application Server Portal (Oracle AS Portal) 10g, version 10.1.2. Other versions may be affected too. VII. SOLUTION ------------------------- Install last CPU (Critical Patch Update). VIII. REFERENCES ------------------------- http://www.oracle.com http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- August 11, 2010: Initial release May 01, 2011: Final revision XI. DISCLOSURE TIMELINE ------------------------- August 11, 2010: Discovered by Internet Security Auditors August 11, 2010: Oracle contacted including PoC. August 12, 2010: Oracle inform that will investigate the vulnerability. April 19, 2011: Oracle fixed the vulnerability in the CPU (Critical Patch Update). May 01, 2011: Sent to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.