3 Replies Latest reply: Jul 12, 2012 5:51 AM by Erik Janssen RSS

    Help me!!!. Please help me fix bug Expression Language Injection in Portal

    937304
      hi all,
      I'm trying to fix bug Expression Language Injection vulnerabilities on oracleas portal, error scanning tool using Acunetix Web Vulnerability Scanner ver 8.0 build 20120209

      I tried to include in the portlet filters special characters to detect signs of attack websites. For example an attack details: URL encoded GET input product_id was set to ${99240+11490}

      But the way I tried above fails, scan tools Acunetix identified a bug that is high

      I hope to soon get the help :)
      I thank very much



      Jackie
      E: doanitsoft@gmail.com
        • 1. Re: Help me!!!. Please help me fix bug Expression Language Injection in Portal
          Erik Janssen
          Hello Jackie,

          Make sure to test with the latest version of Oracle's CPU patches patches applied. For FMW11g releases, the last CPU patch set was released last April 2012, info available in My Oracle Support Note [url https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1406574.1]1406574.1. For AS 10g releases, the last CPU patch set was released in December 2011. There will be no new CPU patch sets for AS10g anymore nor will their be any bug fixing error correction support has ended for AS10g.

          Thanks,
          EJ
          • 2. Re: Help me!!!. Please help me fix bug Expression Language Injection in Portal
            937304
            hello Erik Janssen,
            Thank you very much. I've tried it that way but when scanned by Acunetix Web Vulnerability Scanner tool ver 8.0 still errors appear Expression Language Injection.

            I describe to you more clearly understand. For example an attack details:
            URL encoded GET input product_id was set to *${99240+11490}*

            * Request
            GET /portal/page/portal/listpro?product_id=%24%7b99240+11490%7d

            I built a special filter characters in the portlets so that if the value retrieved from the parameter contains special characters are predefined Raise Error, but still not successful bug fix.

            Look forward to receiving your help. Thank you very much :)


            Jackie
            E: doanitsoft@gmail.com
            • 3. Re: Help me!!!. Please help me fix bug Expression Language Injection in Portal
              Erik Janssen
              Hello Jackie,

              Did not notice your update on this post.

              Should you be able to create a simple test case which can demonstrate the vulnerability in Oracle Portal 11.1.1.6 with the latest CPU patch applied, you can log a ticket with the Support teams. They can then address any potential vulnerability.

              Thanks,
              EJ