Oracle EBS - XSS Vulnerability

Background

The Oracle E-Business Suite (EBS) is a collection of business Enterprise Resource Planning, Customer Relationship Management, and Supply Chain Management applications developed by Oracle Corporation. Interaction with the client is achieved through the Apache web server, Java technology (Applets) and several other Oracle technologies. Business data is stored in the Oracle database.

Scope

Imperva’s Application Defense Center is conducting a research of various business applications in order to devise better security solutions for them. As part of the research the team has identified an XSS vulnerability in the Oracle EBS software package.

Findings

The vulnerability can be exploited for stealing sensitive data and executing Phishing attacks. More specifically, data can be stolen from the users of the business suite, whether these are employees of the organization that deploys EBS or partners that access it in a self-service mode.

Exploit

  • http://first.imperva:8003/OA_HTML/jsp/fnd/fndhelp.jsp?lang=US&root=FND:LIBRARY&path=paros%22%20style=%22background:url(javascript:alert('Imperva'))
  • Note that this exploit does not require the use of angled brackets.

Tested Version

Vulnerable
  • Oracle applications release 11i.

Workaround and Mitigation

The vulnerability can be eliminated if online help system is removed.

The SecureSphere Web Application Firewall and Database Security Gateway protect unpatched systems against this vulnerability by default via application profile protection. The ADC has also delivered and updated defense pattern to specifically identify exploit attempts.

Vendor Status

Vendor notified on 05/13/07. Patched released by vendor on 07/17/07.

Disclaimer

The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.