Info

Disclosure

Oct 07, 2005

Discovery

Oct 09, 2003

Dates

Exploit

Oct 07, 2005

Solution

Unknown

Description

The XML DB component in Oracle Database Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input upon submission to the 'oradb' servlet. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

Products

Oracle Corporation	Oracle Database Server 9i Release 2	9.0.2.4
		9.2.0.6
	Oracle Database Server 10g	10.1.0.3

References

Bugtraq ID: 15034
CVE ID: 2005-3204 (see also: NVD)
ISS X-Force ID: 22541
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0177.html
Vendor URL: http://www.oracle.com/
Vendor Specific Advisory URL: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
Other Advisory URL: http://www.red-database-security.com/advisory/oracle_xmldb_css.html

Credit

Alexander Kornbrust - akred-database-security.com - Red Database Security GmbH

Direct URL: http://osvdb.org/20054

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Oracle Corporation

Oracle Database Server 9i Release 2

Oracle Database Server 10g

References

Credit