Permanent Cross-Site Scripting in Oracle Application Express

SEC Consult Vulnerability Lab Security Advisory < 20150716-0 >

=======================================================================

title: Permanent Cross-Site Scripting

product: Oracle Application Express

vulnerable version: All versions prior to 4.2.3.00.08

fixed version: 4.2.3.00.08

CVE number: CVE-2015-2655

impact: high

homepage: apex.oracle.com/i/index.html

found: 2014-05-28

by: F. Lukavsky

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"Oracle Application Express (Oracle APEX) is Oracle's primary tool for

developing Web applications with SQL and PL/SQL. Using only a web browser, you

can develop and deploy professional Web-based applications for desktops and

mobile devices. It is a fully supported, no cost option of the Oracle

Database, and is installed by default in all editions of the Oracle Database.

Even those without SQL and PL/SQL knowledge, can still easily install the many

built-in packaged applications, such as Survey Builder, Customer Tracker, and

P-Track (for tracking projects)."

 

www.oracle.com/technetwork/developer-tools/apex/overview/index.html

 

 

Vulnerability overview/description:

-----------------------------------

The gReport Controls Sort Widget is prone to permanent Cross-Site Scripting.

The setting "display as" of the column attributes is ignored for the filter

list.

 

 

Proof of concept:

-----------------

Adding the following field to a table will cause an alertbox to display the

currently set cookies as soon as the sort options are selected for the column:

xss-entry<img src=x onerror=alert(document.cookie)>

 

 

Vulnerable / tested versions:

-----------------------------

All versions prior to 4.2.3.00.08

 

 

Vendor contact timeline:

------------------------

2014-08-13: Contacting vendor through secalert_us@oracle.com

2014-08-14: Vendor response - vulnerbility will be investigated

2014-08-15: Vendor response - issue will be tracked as S0484336

2014-08-22: Status update: Under investigation / Being fixed in main codeline

2014-09-24: Status update: Issue fixed in main codeline, scheduled for a future CPU

2014-10-24: Status update: Issue fixed in main codeline, scheduled for a future CPU

2014-11-24: Status update: Issue fixed in main codeline, scheduled for a future CPU

2014-12-24: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-01-24: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-02-25: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-03-25: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-04-25: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-05-23: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-06-25: Status update: Issue fixed in main codeline, scheduled for a future CPU

2015-07-11: Issue is fixed in upcoming CPU, patches will be released on 2015-07-14

2015-07-16: Coordinated release of the security advisory

 

 

Solution:

---------

Upgrade to Oracle Application Express 4.2.3.00.08.

 

 

Workaround:

-----------

Refrain from using the gReport Controls Sort Widget.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF F. Lukavsky / @2015