Digital Security Research Group - [DSECRG-09-025] Oracle Secure Enterprise Search 10.1.8 Linked XSS vulnerability

A linked XSS vulnerability was found in "search" script of Oracle Secure Enterprise Search (SES).

Application: Oracle Secure Enterprise Search (SES)
Versions Affected: Oracle Secure Enterprise Search (SES) version 10.1.8.2.0
Vendor URL: http://www.oracle.com
Bugs: XSS
Exploits: YES
Reported: 21.01.2009
Vendor response: 23.01.2009
Date of Public Advisory: 16.07.2009
CVE: CVE-2009-1968
Description: XSS IN search query
Author: Alexandr Polyakov
Digital Security Reasearch Group [DSecRG] (research [at] dsecrg [dot] com)

Details
*******

A vulnerability was found in page /search/query/search. Vulnerable parameter - search_p_groups.

Example
*******

http://[localhost]:7777/search/query/search?search.timezone=&search_p_groups="'><IMG%20SRC=javascript:alert(document.cookie)>&q=1234&btnSearch=Search

An attacker can send the evil link to logged-in Administrator, get Administrator's cookie and access to the system with Administrative rights

Fix Information
***************

Information was published in CPU July 2009.
All customers can download CPU patches following instructions from:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Credits
*******
Oracle is grateful to Alexandr Polyakov from Digital Security Company in CPU July 2009.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

About
*****
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com