|
Cross-site scripting in Oracle Enterprise Manager (REFRESHHOME Parameter)
July 29, 2008
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 10gR1 and Oracle Enterprise Manager Grid
Control 10gR1
Remote exploitable:
Yes
Credits:
This vulnerability was
discovered and
researched by Esteban
Martínez Fayó of Application
Security Inc.
Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate
web application into sending malicious code, generally in the form of a script,
to an unsuspecting end user. The attack usually involves crafting a hyperlink with
malicious script code embedded within it. A valid user is likely to click this link
since it points to a resource on a trusted domain. The link can be posted on a web
page, or sent in an instant message, or email. Clicking on the link executes the
attacker-injected code in the context of the trusted web application. Typically,
the code steals session cookies, which can then be used to impersonate a valid user.
The "REFRESHHOME" parameter used in web pages of Oracle Enterprise Manager are
vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned
without proper sanitization, allowing a malicious attacker to inject
arbitrary scripting
code.
Impact:
Attackers might steal administrator's session cookies, thereby allowing the attacker
to impersonate the valid user.
Vendor Status:
Vendor was contacted and
a patch was released.
Workaround:
There is no workaround for this issue.
Fix:
Apply Oracle Critical
Patch Update July 2008
available at Oracle
Metalink.
Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2590
Timeline:
Vendor Notification - 8/24/2007
Vendor Response - 8/29/2007
Fix - 7/15/2008
Public Disclosure - 7/23/2008
|
