In association with heise online

23 March 2007, 12:40

Cross-site scripting in Oracle's Application Server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in Oracle's Application Server allows attackers to execute arbitrary JavaScript code in users' browsers. A user by the name of Sea Shark has published a sample address for an Oracle portal site ( PORTAL.wwv_main.render_warning_screen) to demonstrate the hole.

According to analyses conducted by security service provider FrSIRT, the vulnerability is the result of a flawed check of user input in the Dynamic Monitoring Service (DMS). In the process of examining table parameters, the DMS fails, allowing malicious individuals to inject JavaScript code onto a user's system by means of specially prepared links in e-mails, for example. The code is then executed in the browser at the security level for the Web application.

Oracle portal users are therefore advised not to use links in e-mails or dubious websites to get there, but rather to access the site via bookmarks.

For more information, see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit