Security Advisory: Oracle EBS - XSS and Unchecked Redirection vulnerabilitiesJanuary 20, 2009
The Oracle E-Business Suite (EBS) is a collection of business Enterprise Resource Planning, Customer Relationship Management, and Supply Chain Management applications developed by Oracle Corporation. Interaction with the client is achieved through the Apache web server, Java technology (Applets) and several other Oracle technologies. Business data is stored in the Oracle database.
Imperva’s Application Defense Center is conducting a research of various business applications in order to devise better security solutions for them. As part of the research the team has identified several XSS vulnerabilities and an unchecked redirect vulnerability.
These vulnerabilities can be exploited for stealing sensitive data and executing Phishing attacks. More specifically, data can be stolen from the users of the business suite, whether these are employees of the organization that deploys EBS or partners that access it in a self-service mode.
- Oracle applications release 11i.
The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.
Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, firstname.lastname@example.org for permission.