Security Advisory: Oracle EBS - XSS and Unchecked Redirection vulnerabilities

January 20, 2009


The Oracle E-Business Suite (EBS) is a collection of business Enterprise Resource Planning, Customer Relationship Management, and Supply Chain Management applications developed by Oracle Corporation. Interaction with the client is achieved through the Apache web server, Java technology (Applets) and several other Oracle technologies. Business data is stored in the Oracle database.


Imperva’s Application Defense Center is conducting a research of various business applications in order to devise better security solutions for them. As part of the research the team has identified several XSS vulnerabilities and an unchecked redirect vulnerability.


These vulnerabilities can be exploited for stealing sensitive data and executing Phishing attacks. More specifically, data can be stolen from the users of the business suite, whether these are employees of the organization that deploys EBS or partners that access it in a self-service mode.


Attack vector 1(XSS): http://first.imperva:8003/OA_HTML/jsp/fnd/fndhelp.jsp?lang=US&root=FND:LIBRARY&path=paros%22%20style=%22background:url(javascript:alert('Imperva')) Note that this exploit does not require the use of brackets. Attack vector 2(Unchecked Redirection): http://first.imperva:8003/OA_HTML/AppsLocalLogout.jsp?returnUrl=

Version Tested

  • Oracle applications release 11i.


Attack vector #1 can be eliminated if online help system is removed.

Discovered By

Guy Karlebach of Imperva ADC

Vendor Status

Patch available (CPU July 2006)
For comments and suggestions please contact


The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, for permission.