Cross-site scripting in Oracle's Application Server
A vulnerability in Oracle's Application Server allows attackers to execute arbitrary JavaScript code in users' browsers. A user by the name of Sea Shark has published a sample address for an Oracle portal site ( PORTAL.wwv_main.render_warning_screen) to demonstrate the hole.
According to analyses conducted by security service provider FrSIRT, the vulnerability is the result of a flawed check of user input in the Dynamic Monitoring Service (DMS). In the process of examining table parameters, the DMS fails, allowing malicious individuals to inject JavaScript code onto a user's system by means of specially prepared links in e-mails, for example. The code is then executed in the browser at the security level for the Web application.
Oracle portal users are therefore advised not to use links in e-mails or dubious websites to get there, but rather to access the site via bookmarks.
- Oracle Portal PORTAL.wwv_main.render_warning_screen XSS, Sea Shark's security advisory
- Oracle Application Server "table" Parameter Handling Cross Site Scripting Vulnerability, FrSIRT's analysis
(ehe)