Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabillity

• From: Jan Pruner <JPruner@xxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Wed, 28 Jan 2004 11:55:11 +0100

A lot of people running Oracle on WINDOWS.
They simply do not know about the posibility to compile own httpd with 
SSL library.

JP

MacGregor, Ian A. wrote:
> How many people actually run the HTTP server which comes with the database?  
> Isn't that pleading for someone to commit mischief.  It was too long ago that 
> an SSL problem  was announced also dealing with the HTTP server.  The attack 
> vector employs iSQL is that only available through the "database" HTTP server 
> or can it be run via iAS.
> 
> 
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian@xxxxxxxxxxxxxxxxx
> 
> 
> -----Original Message-----
> From: Jared.Still@xxxxxxxxxxx [mailto:Jared.Still@xxxxxxxxxxx] 
> Sent: Tuesday, January 27, 2004 5:26 PM
> To: oracle-l@xxxxxxxxxxxxx
> Subject: [oracle-l] Oracle HTTP Server Cross Site Scripting Vulnerabillity
> 
> 
> ----- Forwarded by Jared Still/Radisys_Corporation/US on 01/27/2004 05:25 
> PM -----
> 
> "Rafel Ivgi, The-Insider" <theinsider@xxxxxxxxxx>
>  01/24/2004 01:54 AM
>  Please respond to "Rafel Ivgi, The-Insider"
> 
>  
>         To:     "bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
>         cc:     "securitytracker" <bugs@xxxxxxxxxxxxxxxxxxx>
>         Subject:        Oracle HTTP Server Cross Site Scripting Vulnerabillity
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Software:        Oracle HTTP Server Powered by Apache
> Vendor:           http://www.apache.com
>                          http://www.oracle.com
> Versions:        Oracle HTTP Server Powered by Apache/1.3.22 (Win32)
> mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 
> mod_oprocmgr/1.0 mod_perl/1.25
> Platforms:       Windows
> Bug:                 Cross Site Scripting Vulnerabillity
> Risk:                Low
> Exploitation:     Remote with browser
> Date:               24 Jan 2004
> Author:            Rafel Ivgi, The-Insider
> e-mail:             the_insider@xxxxxxxx
> web:                http://theinsider.deep-ice.com
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 1) Introduction
> 2) Bug
> 3) The Code
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ===============
> 1) Introduction
> ===============
> 
> Apache is the most common unix server in the world. It is strong and safe. 
> Oracle HTTP Server is a modified, custom apache server that was created by 
> apache for oracle.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ======
> 2) Bug
> ======
> 
> The Vulnerabillity is Cross Site Scripting. If an attacker will request 
> the
> following
> url from the server: 
> http://<host>/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('X
> SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e
> Or
> http://<host>/isqlplus?action=<script>alert('XSS')</script>
> XSS appears and the server allows an attacker to inject & execute scripts.
> 
> In the words of securityfocus.com :
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> If all of these circumstances are met, an attacker may be able to exploit 
> this issue via a malicious link containing arbitrary HTML and script code as 
> part of the hostname. When the malicious link is clicked by an unsuspecting 
> user, the attacker-supplied HTML and script code will be executed by their 
> web client. This will occur because the server will echo back the malicious 
> hostname supplied in the client's request, without sufficiently escaping HTML 
> and script code.
> 
> Attacks of this nature may make it possible for attackers to manipulate 
> web
> content or to
> steal cookie-based authentication credentials. It may be possible to take 
> arbitrary actions as the victim user.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ===========
> 3) The Code
> ===========
> 
> http://<host>/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('X
> SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e
> http://<host>/isqlplus?action=<script>alert('XSS')</script>
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ---
> Rafel Ivgi, The-Insider
> http://theinsider.deep-ice.com
> 
> "Things that are unlikeable, are NOT impossible."
> 
> 
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

• References:
  • [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabil lity
    • From: MacGregor, Ian A.

Other related posts:

• » Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabillity
• » Re: [oracle-l] Re: Oracle HTTP Server Cross Site Scripting Vulnerabillity

1. Home
2. oracle-l
3. Archive
4. 01-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---