{"vuid":"VU#798611","idnumber":"798611","name":"Oracle 9iAS contains cross-site scripting vulnerability in \"htp.print\"","keywords":["Oracle 9iAS","cross-site scripting","css","htp.print"],"overview":"Oracle 9i Application Servers are vulnerable to a cross-site scripting vulnerability. The server may inadvertently include malicious HTML tags or script(JavaScript, VBScript, Java, etc.) in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user.","clean_desc":"On Oracle 9i Application Servers, it is possible to use a \"cross-site\" scripting technique to inject malicious script (JavaScript, VBScript, etc.) or HTML into a web page. Specifically, default access to the \"htp\" PL/SQL package can be used to exploit this vulnerability. This package is used to export HTML and HTML tags. The essence of cross-site scripting is that an intruder causes a legitimate web server to send a page to a victim's web browser that contains malicious script or HTML of the intruder's choosing. The malicious script runs with the privileges of a legitimate script originating from the legitimate web server. Oracle 9i Application Servers, and several other server applications are vulnerable to such an technique via various methods. For more details on Cross-Site Scripting please see CERT Advisory CA-2000-02.","impact":"The victim will be presented with information which the compromised site did not wish their visitors to be subjected. This could be used to \"sniff\" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs.","resolution":"Oracle has released an alert to address this issue (Section 1-e). Oracle has released a the following patches for the following systems at http://metalink.oracle.com: Oracle9iAS, v1.0.2.x Platform\tPatch Number Sun Solaris \t2209455\nWindows \t2209455 Oracle9i Database, Release 9.0.1 Platform \tPatch Number Sun Solaris \t2209455\nWindows \t2209455 Oracle8i Database, Release 8.1.7.x Platform \tPatch Number Sun Solaris \t2209455\nWindows \t2209455","workarounds":"A web master may change the default error page to not include the file name passed in by any user. The client may disable JavaScript (or VBScript or other scripting languages), but it doesn't address the problem of simply inserting malicious HTML, and it can cause undesired functionality.","sysaffected":"","thanks":"Our thanks to David Litchfield for discovering this instance of a Cross-Site Scripting vulnerability.","author":"This document was written by Jason Rafail.","public":["http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf","http://www.nextgenss.com/papers/hpoas.pdf","http://www.microsoft.com/TechNet/security/crssite.asp","http://www.apache.org/info/css-security/"],"cveids":[""],"certadvisory":"CA-2000-02","uscerttechnicalalert":null,"datecreated":"2002-02-06T19:41:09Z","publicdate":"2002-02-06T00:00:00Z","datefirstpublished":"2002-03-06T14:26:15Z","dateupdated":"2002-03-06T14:26:18Z","revision":18,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"15","cam_easeofexploitation":"2","cam_attackeraccessrequired":"20","cam_scorecurrent":"4.21875","cam_scorecurrentwidelyknown":"4.21875","cam_scorecurrentwidelyknownexploited":"7.59375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.21875,"vulnote":null}