[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hacktics Advisory Feb09: XSS in Oracle E-Business Suite
Hacktics Research Group Security Advisory
By Gil Cohen, Hacktics.
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in an Oracle E-Business Suite deployment.
Further research has identified that a web interface showing user errors are
vulnerable to reflected cross site scripting attacks.
A friendly formatted version of this advisory is available in:
II. The Finding
The XSS vulnerability appears in the error details page,
OAErrorDetailPage.jsp when the server is in diagnostics mode, and requires
an additional preliminary step to invoke. When an application error occurs,
the application presents a general error message with a link to the detailed
error page. The detailed error page is vulnerable to scripting attacks
embedded in input sent to the page that caused the error. An attacker can
exploit this by sending users or administrators a malicious link that causes
an error and contains a malicious script, and urges them to navigate to the
details page causing the malicious script to be executed.
Hacktics' research classifies the risk of the vulnerability as Low, due to
the combination of the non default diagnostic mode, and the complex
invocation scenario, which reduce the probability of successfully exploiting
The XSS vulnerability requires that an error is raised first, through
OA.jsp. The page that receives the malicious script and raises the error
resides at the following address:
The application then displays a general error message with a link to a more
detailed error page (OAErrorDetailPage.jsp). When the user navigates to the
vulnerable error details page, the script executes:
The exploit is performed by replacing malicious_script with the relevant
V. Affected Systems
The vulnerability was identified in version 12.1.1.
VI. Vendor's Response/Solution
Oracle's security alerts group has been notified of this vulnerability in
early November 2009.
The vulnerability has been acknowledged by Oracle, and has already been
fixed in the Jul-2009 CPU:
Oracle has also pointed out that this vulnerability is only applicable when
the system is in diagnostics mode. Customers are recommended to avoid
running their systems in diagnostics mode while in production.
The vulnerability was discovered by Gil Cohen from Hacktics Ltd.
Chairman, OWASP Israel