Security Advisory: [SNS Advisory No.84] Oracle Application Server HTTP Response Splitting Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Multiple Oracle application server vulnerabilities
  Oracle Applications/Portal 9i/10g Cross Site Scripting
  Oracle Portal 10g HTTP Response Splitting
  Modify Data via Inline Views
  Various Cross-Site-Scripting Vulnerabilities in Oracle Reports

From: snsadv_(at)_lac.co.jp <snsadv_(at)_lac.co.jp>
Date: 22.10.2005
Subject: [SNS Advisory No.84] Oracle Application Server HTTP Response Splitting Vulnerability

----------------------------------------------------------------------
SNS Advisory No.84
Oracle Application Server HTTP Response Splitting Vulnerability

Problem first discovered on: Tue, 01 Feb 2005
Published on: Tue, 21 Oct 2005
----------------------------------------------------------------------

Severity Level:
---------------
Medium

Overview:
---------
Oracle Application Server has vulnerabilities of HTTP Response Splitting.
This makes possible to represent an unreal content as if it is real or
to cause Cross Site Scripting attacks.

Problem Description:
--------------------
Oracle Application Server has Session URL Rewriting function, which can embed
and specify session management parameters in URL.

In Session URL Rewriting function, the server does not sanitize Special
character appropriately when resetting the specified session
management parameters as Cookie.

Therefore, arbitrary HTTP header or content can be outputted as the
response when specifying session management parameters including
arbitrary content prefixed with a linefeed code.

In the result, representing unreal content as if it is real or causing
Cross Site Scripting attacks can be possible. And this might be
exploited for Phishing Fraud, Session Hijack, and so on.

Tested Versions:
----------------
Oracle9i Application Server Release 2 (9.0.2.3)
Oracle Application Server 10g Release 1 (9.0.4.2)
Oracle Application Server 10g Release 2 (10.1.2.0)

Solution:
---------
Apply Critical Patch Update - October 2005
http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html

Discovered by:
--------------
Keigo Yamazaki (LAC)

Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd.
shall take no responsibility for any problems, loss or damage caused
by, or by the use of information provided here.

This advisory can be found at the following URL:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/84_e.html
----------------------------------------------------------------------