Oracle Audit / Hardening
Oracle Security Blog
Oracle Fact Sheets
News & Events
Various Cross-Site-Scripting Vulnerabilities in Oracle Reports
||Various Cross-Site-Scripting Vulnerabilities in Oracle Reports [REP01], [REP02]
||Cross Site Scripting (CSS/XSS)
||Alexander Kornbrust (ak at red-database-security.com)
||18 July 2006 (V 1.0)
The Oracle Reports parameters showenv [REP01], parsequery [REP01], cellwrapper [REP02] and delimiter [REP02] are vulnerable against Cross-Site-Scripting.
Internet Application Server
Oracle Application Server
Oracle Developer Suite
Apply Oracle Critical Patch Update October 2006 (CPU July 2006).
28-aug-2003 Oracle secalert was informed
29-aug-2003 Bug confirmed
17-oct-2006 Oracle published CPU October 2006
18-oct-2006 Red-Database-Security published this advisory
© 2006 by Red-Database-Security GmbH - last update 18-oct-2006
Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool.
It enables businesses to give immediate access to information to all levels within and outside
of the organization in an unrivaled scalable and secure environment. Oracle Reports consists of
Oracle Reports Developer (a component of the Oracle Developer Suite) and Oracle Application Server
Reports Services (a component of the Oracle Application Server).