Info

Disclosure

Oct 07, 2005

Discovery

Feb 18, 2004

Dates

Exploit

Oct 07, 2005

Solution

Unknown

Description

Oracle HTML DB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'p' variable upon submission to the 'f' servlet. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

Products

Oracle Corporation	HTML DB	1.3.6
		1.4.4.00.33

References

SCIP VulDB ID: 1363
Bugtraq ID: 15031
CVE ID: 2005-3202 (see also: NVD)
Related OSVDB ID: 20052
ISS X-Force ID: 22540
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0173.html
Vendor URL: http://www.oracle.com/
Vendor Specific Advisory URL: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Other Advisory URL: http://www.red-database-security.com/advisory/oracle_htmldb_css.html

Credit

Alexander Kornbrust - akred-database-security.com - Red Database Security GmbH

Direct URL: http://osvdb.org/20051

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Oracle Corporation

HTML DB

References

Credit