Oracle Application Server XSQL Stylesheet Arbitrary Java Code Execution

This script is Copyright (C) 2001-2014 Matt Moore


Synopsis :

Arbitrary code can be run on the remote host.

Description :

The Oracle XSQL Servlet allows arbitrary Java code to be executed by an
attacker by supplying the URL of a malicious XSLT stylesheet when making
a request to an XSQL page.

Solution :

Until Oracle changes the default behavior for the XSQL servlet to
disallow client supplied stylesheets, use the following workaround.
Add allow-client-style='no' on the document element of every
xsql page on the server. This plug-in tests for this vulnerability
using a sample page, airport.xsql, which is supplied with the Oracle
XSQL servlet. Sample code should always be removed from production
servers.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)

Family: Databases

Nessus Plugin ID: 10594 ()

Bugtraq ID: 2295

CVE ID: CVE-2001-0126