From: Brian Eaton [EMAIL PROTECTED]
To: putosoft softputo [EMAIL PROTECTED]
CC: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Oracle Portal 10g HTTP Response Splitting
Date: Wed, 20 Dec 2006 13:55:09 -0500
On 12/20/06, putosoft softputo [EMAIL
Description
---
There are plenty (hundreds) of Cross Site Scripting vulnerabilities in the
Oracle Portal. The following is one that you may found in any version:
Oracle Portal/Applications HTTP Response Splitting
--
Sample:
http://target/webapp/jsp/calendar.jsp?enc=iso-8859-1%0d%0aContent-length=12%0d%0a%0d%0a%3Cscript%3Ealert('hi')%3C/script%3E
How an attack can be conducted?
I can't believe it. Oracle releases new patches and they have not been
solved one of the main problems: A user with only the SELECT privilege can
do WHATEVER (S)HE WANTS WITH THE ENTIRE DATABASE
I'm not sure if is time to full disclosure it but, anyway, I will full
disclosure one inocent
I have no time to check it so there are details about the crash:
Open in a browser the following location:
http://ofertas.muchoviaje.com/viajes/ofertas/ofertapaquete.aspx?codigo=8491
Next, Select all (Ctrl+E) and try pasting it in Microsoft Word. It will
always crash with a failure in
