Summary
This host is running OracleJSP Demos and is prone to multiple cross site scripting vulnerabilities.
Impact
Successful exploitation could allow an attacker to execute arbitrary scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application.
Impact Level: Application
Solution
Apply the patch from below link,
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
Insight
The flaws are due to failure in the,
- '/demo/sql/index.jsp' script to properly sanitize user supplied input in 'connStr' parameter.
- '/demo/basic/hellouser/hellouser.jsp' script to properly sanitize user-supplied input in 'newName' parameter.
- '/demo/basic/hellouser/hellouser_jml.jsp' script to properly sanitize user-supplied input in 'newName' parameter.
- '/demo/basic/simple/welcomeuser.jsp' script to properly sanitize user-supplied input in 'user' parameter.
- '/demo/basic/simple/usebean.jsp?' script to properly sanitize user-supplied input in 'newName' parameter.
Affected
OracleJSP Demos version 1.1.2.4.0 with iAS v1.0.2.2
References