Oracle Configurator Security Issue: Potential Cross-site Scripting Attacks

Customers Affected

Customers who use the Oracle Configurator on the Internet and who use Text Features and the DHTML UI need to read this alert and implement the workaround or apply the patch. Customers who use Oracle Configurator on the Internet, but do not use Text Features and the DHTML UI, should read this alert, but it is likely they will not have to take any action. All other customers do not need to read this alert.

Versions Affected

All Oracle Configurator released 11i patches. These potential vulnerabilities are fixed in CZ patchset H, and in builds 17.32 and 16.53. All previous versions have the potential described in this alert.

Platforms Affected

All Supported Platforms

Description

Oracle Configurator has been found vulnerable to potential cross-site scripting attacks. These generic type of attacks are described in a CERT advisory, at http://www.cert.org/advisories/CA-2000-02.html. Oracle strongly encourages all customers deploying Internet applications with Oracle Configurator to read and understand this advisory.

The following potential vulnerabilities were identified in Oracle Configurator. Each of these potential vulnerabilities is fixed by a patch to Oracle Configurator.

1. Vulnerability to cross-site scripting attacks in text input boxes. Configurator customers who use Text Features and the DHTML UI, and who display Text Features in their UI, are vulnerable to cross-site scripting attacks. If the end user of a DHTML UI were to type in html tags that ran javascript or launched an applet, this code would have access to the entire page. If you are not using Text Features, you need not worry about this vulnerability.
2. Vulnerability to cross-site scripting attacks when using the test parameter to the oracle.apps.cz.servlet.UiServlet servlet. If you pass a string that is not a recognized argument to the ?test parameter, the servlet returns a page with the argument rendered on the page.
3. Vulnerability to retrieving version and host information from oracle.apps.cz.servlet.UiServlet. If you pass a test=version argument to the servlet, it returns build and schema information. If you pass a test=host argument, the servlet returns the hostname and port that the web server is running on. Both of these potential vulnerabilities are fixed in the patches described below. Furthermore, for this fix to be active, you must add the following line to your jserv.properties file:

Oracle Configurator customers who use the DHMTL UI and Text Features on Internet applications must either implement the workarounds or install the patch to preserve the security of data entered into Oracle Configurator. Customers who do not use Text Features in the DHTML UI or who do not deploy these applications over the Internet need not apply this patch or implement the workarounds.

Solution

Apply the patch that is appropriate for your version of Oracle Configurator, and then add the following line to your jserv.properties file:

oracle.apps.cz.uiservlet.versionFuncsAvail=false
 
 

Patches
 

Branch	Build Number	ARU Number	Developer ARU Number
Patchset H and later	Fixed in the base release	Not needed	Not needed
Patchset G	11.5.7.17.32	2264442	2257907
Patchset F	11.5.6.16.53	2279864	2237471
Other		Not available, please contact support

 

Workarounds

Workarounds are available only for the Text Features and DHTML UI potential vulnerability.

Customers must remove all Text Features from their UIs. If this workaround is not feasible, because the Text Features are required, customers can write validation Functional Companions that examine the user input value for each text feature. Customers can then either reject input with HTML tags, or quote the input text so that the browser will not render the HTML tags when the value is displayed in the browser.