Oracle Application Server XSQL Stylesheet Arbitrary Java Code Execution

high Nessus Plugin ID 10594

Synopsis

Arbitrary code can be run on the remote host.

Description

The Oracle XSQL Servlet allows arbitrary Java code to be executed by an attacker by supplying the URL of a malicious XSLT stylesheet when making a request to an XSQL page.

Solution

Until Oracle changes the default behavior for the XSQL servlet to disallow client supplied stylesheets, use the following workaround. Add allow-client-style='no' on the document element of every xsql page on the server. This plug-in tests for this vulnerability using a sample page, airport.xsql, which is supplied with the Oracle XSQL servlet. Sample code should always be removed from production servers.

Plugin Details

Severity: High

ID: 10594

File Name: oracle_xsql.nasl

Version: 1.29

Type: remote

Family: Databases

Published: 1/22/2001

Updated: 5/28/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/9/2001

Reference Information

CVE: CVE-2001-0126

BID: 2295