-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cross-site scripting in Oracle Enterprise Manager (advReplicationAdmin)
TeamSHATTER Security Advisory
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.
Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a
legitimate web application into sending malicious code, generally in the form
of a script, to an unsuspecting end user. The attack usually involves crafting
a hyperlink with malicious script code embedded within it. A valid user is
likely to click this link since it points to a resource on a trusted domain.
The link can be posted on a web page, or sent in an instant message, or email.
Clicking on the link executes the attacker-injected code in the context of the
trusted web application. Typically, the code steals session cookies, which can
then be used to impersonate a valid user.
There are instances of XSS vulnerabilities in the Distributed/Cross DB
Features of Oracle Enterprise Manager. For example web page
/em/console/database/dist/
kind of attacks.
Impact:
Attackers might steal administrator's session cookies, thereby allowing the
attacker to impersonate the valid user.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2013-0355
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmcToACgkQRx91im
8bgAnjXHt2HN6LjZ0Ye/
=yJVw
-----END PGP SIGNATURE-----
Courtesy: securityfocus.com
Hash: SHA1
Cross-site scripting in Oracle Enterprise Manager (advReplicationAdmin)
TeamSHATTER Security Advisory
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.
Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a
legitimate web application into sending malicious code, generally in the form
of a script, to an unsuspecting end user. The attack usually involves crafting
a hyperlink with malicious script code embedded within it. A valid user is
likely to click this link since it points to a resource on a trusted domain.
The link can be posted on a web page, or sent in an instant message, or email.
Clicking on the link executes the attacker-injected code in the context of the
trusted web application. Typically, the code steals session cookies, which can
then be used to impersonate a valid user.
There are instances of XSS vulnerabilities in the Distributed/Cross DB
Features of Oracle Enterprise Manager. For example web page
/em/console/database/dist/
kind of attacks.
Impact:
Attackers might steal administrator's session cookies, thereby allowing the
attacker to impersonate the valid user.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2013-0355
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmcToACgkQRx91im
8bgAnjXHt2HN6LjZ0Ye/
=yJVw
-----END PGP SIGNATURE-----
Courtesy: securityfocus.com
No comments:
Post a Comment