This discussion is archived
1 Reply Latest reply: Jan 16, 2013 2:21 AM by Patrick Wolf RSS

Classic date picker - XSS vulnerability?

Tony Andrews Explorer
Currently Being Moderated
We are not currently using the jQuery Date Picker items because of the accessibility bug documented in the APEX 4.2 Release Notes:

<blockquote>The modern inline date pickers are not usable with screen readers or magnification due to focus not being set correctly. The data table is also missing a caption or summary text to describe the data in the table. Workaround for Custom Applications: Use the 'Classic Datepicker' which is coded to the standards. Workaround for Development Environment: Enter the date manually into the date input field. This issue is tracked with Oracle bug 9740473.</blockquote>

So we have been using Date Picker (Classic). However, now a customer has had a penetration test performed by a third party and they have said that Date Picker (Classic) has an XSS vulnerability. The issue is that the URL for the date picker is exposed e.g.

<pre>http://mydomain/pls/apex/wwv_flow_utilities.show_as_popup_calendar?p_element_index=P1_DATE&p_form_index=0&p_date_format=DD-MON-RR&p_bgcolor=%23666666&p_dd=&p_hh=&p_mi=&p_pm=&p_yyyy=2013&p_lang=en&p_application_format=Y&p_application_id=108&p_security_group_id=1055016597152790&p_mm=01</pre>

This URL can then be copied into another browser window and manipulated, e.g. changing the p_bgcolor or p_yyyy parameters.

We don't know how, but the penetration tester has said that "this vulnerability could be used to steal cookies information and potentially user credentials".

Can anyone please confirm that this is in fact a risk, and if so what can be done to remove it? (Or confirm that it is not a risk at all!)

Thanks,

Tony
  • 1. Re: Classic date picker - XSS vulnerability?
    Patrick Wolf Employee ACE
    Currently Being Moderated
    Hi Tony,

    if your customer thinks that they have found a vulnerability in an Oracle product we encourage them to report it as described at the following link

    http://www.oracle.com/us/support/assurance/reporting/index.html

    Regards
    Patrick
    -----------
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points