'[Full-disclosure] TeamSHATTER Security Advisory: Oracle Enterprise'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] TeamSHATTER Security Advisory: Oracle Enterprise
From:       Shatter <shatter () appsecinc ! com>
Date:       2011-07-27 23:01:18
Message-ID: BB184445F393D244AEB0312F069BAAB109763CF3E0 () mxe1
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

Oracle Enterprise Manager vulnerable to Cross-site scripting (metricDetail$type page)

July 26, 2011

Risk Level:
Medium

Affected versions:
Oracle Enterprise Manager Grid Control versions 10.1.0.6, 10.2.0.5
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, \
10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application \
Security, Inc.

Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application \
into sending malicious code, generally in the form of a script, to an unsuspecting end user. \
The attack usually involves crafting a hyperlink with malicious script code embedded within it. \
A valid user is likely to click this link since it points to a resource on a trusted domain. \
The link can be posted on a web page, or sent in an instant message, or email. Clicking on the \
link executes the attacker-injected code in the context of the trusted web application. \
Typically, the code steals session cookies, which can then be used to impersonate a valid user. \
There are instances of XSS vulnerabilities in the Instance Management component of Oracle \
Enterprise Manager Grid Control.  For example the 'commentinput' parameter of \
/em/console/database/monitoring/metricDetail$type web page is vulnerable to this kind of \
attacks.

Impact:
Attackers might steal administrator's session cookies, thereby allowing the attacker to \
impersonate the valid user.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply July 2011 CPU.

CVE:
CVE-2011-0876, CVE-2011-0879

Links:
http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-enterprise-manager-vulnerable-to-cross-site-scripting-metricdetailtype-page/
 http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

Timeline:
Vendor Notification - 12/27/2007
Vendor Response - 12/27/2007
Fix - 7/19/2011
Public Disclosure - 7/19/2011

Application Security, Inc.'s database security solutions have helped over 2000 organizations \
secure their databases from all internal and external threats while also ensuring that those \
organizations meet or exceed regulatory compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate at the time of \
publishing based on currently available information. Use of the information constitutes \
acceptance for use in an AS IS condition. There are no warranties with regard to this \
information. Neither the author nor the publisher accepts any liability for any direct, \
indirect, or consequential loss or damage arising from use of, or reliance on, this \
                information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAk4wmDgACgkQRx91imnNIgG4eACgqMkDdlQaQFob+TyCYTzsx79E
d+8AnA/rzNLmF2nohfew5d/sO/b1q9UN
=MLQP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic