CERT-In Advisory CIAD-2006-50
Oracle Portal Vulnerabilities

Original issue date: December 27, 2006

Severity Rating: Medium

Systems Affected

• Oracle Application Server 10g
• Oracle Application Server 9i

Overview

Two vulnerabilities have been reported in Oracle Application Servers which could be exploited by remote attackers to conduct HTTP response splitting and cross-site scripting attacks.

Description

1. Oracle Portal "enc" Parameter handling vulnerability (CVE-2006-6697)

A vulnerability has been reported in Oracle Application Server due to an input validation error in the "webapp/jsp/calendar.jsp" script while processing the "enc" parameter.

This could be exploited by remote attackers to inject arbitrary HTTP headers to conduct HTTP request splitting and cross-site site scripting attacks.

2. Oracle Portal "tc" Parameter handling Vulnerability (CVE-2006-6703)

A vulnerability has been reported in Oracle Application Server due to an input validation error in the "jsp/container_tabs.jsp" script while handling the "tc" parameter .

This could allow remote attackers to execute arbitrary HTML and scripting code to bypass certain security restrictions.

Workaround

Filter malicious characters or character sequences in a proxy.

Vendor Information

Oracle Corporation
http://www.oracle.com

References

FrSIRT
http://www.frsirt.com/english/advisories/2006/5124
http://www.frsirt.com/english/advisories/2006/5143

Secunia
http://secunia.com/advisories/23461/

CVE Name
CVE-2006-6697
CVE-2006-6703

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003