Oracle Workflow CSS Vulnerability wf_monitor

ak_at_red-database-security.com
Date: 10/20/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 867-1] New module-assistant package fixes insecure temporary file"
    Date: 20 Oct 2005 06:14:07 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) Dear Bugtraq-Reader,

    The Oracle Critical Patch Update October 2005 provides fixes for 2 Cross-Site-
    Scripting vulnerabilities in Oracle Workflow found by Red-Database-Security GmbH.

    I know that the severity and impact of CSS bugs is low. My critical security bugs
    in Oracle (e.g. become DBA via the import utility or security problems in
    Transparent Data Encryption (TDE)) are still unfixed.

    The following (remote exploitable) bug for example is now unfixed since 800 (!)
    days ( = 19.200 hours).
    http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html

    If you think that 800 days are a little bit too long you should contact
    Oracle and ask for the reason. If you are lucky you will get patches from Oracle
    with the next critical patch update january 2006 (= 889 days later) or april
    2006 (=980 days later).

    A list of (my) upcoming Oracle security issues is available here:
    http://www.red-database-security.com/advisory/upcoming_alerts.html

    Regards

     Alexander Kornbrust

    Oracle Workflow CSS Vulnerability wf_monitor
    ############################################

     Name Oracle Workflow CSS Vulnerability wf_monitor
     Systems Affected Oracle Database or Application Server
     Severity Low Risk
     Category Cross Site Scripting
     Vendor URL http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html
     This advisory http://www.red-database-security.com/advisory/oracle_workflow_css_wf_monitor.html
     Author Alexander Kornbrust (ak at red-database-security.com)
     Date 20 October 2005 (V 1.00)
     Bugnumber 2005-S071E
     Time to fix 236 days

     
    Details
    #######
    Oracle Workflow is part of the database or application server installation. The parameter response form is vulnerable against XSS/CSS attacks.

    Testcase
    ########
    Run the URL http://server:7778/pls/owf_mgr/wf_monitor.find_instance and add javascript code into the field "response form"

    Patch Information
    #################
    Oracle fixed this issue with the patches from the critical patch update october 2005.

    All already published alerts are available on the web site of Red-Database-Security GmbH
    http://www.red-database-security.com/advisory/published_alerts.html

    History
    #######
    14-feb-2005 Oracle secalert was informed
    15-feb-2003 Bug confirmed
    18-oct-2005 Oracle published the Critical Patch Update October 2005 (CPU October 2005)
    20-oct-2005 Red-Database-Security published this advisory

    (c) 2005 by Red-Database-Security GmbH


  • Next message: Martin Schulze: "[SECURITY] [DSA 867-1] New module-assistant package fixes insecure temporary file"