Sunday 16 December 2012

Cross Site Scripting in Oracle ERP R12

Found XSS vulnerability while doing an audit for Oracle ERP R12 .

Step 1) For this we have to first enable “Show Log on Screen” -> “Exception” from the “Diagnostics” page.

 



Below screenshot shows that screen logging is enabled. Now an attacker can perform Cross Site Scripting.

 


Step 2) Below screenshot shows that a SCRIPT tag is entered in the “Search” box, and then click on “Go”.

 


Below screenshot shows that the SCRIPT tag is executed by the browser.