Oracle HTTP Server 'Expect' Header Cross-Site Scripting Vulnerability Network Vulnerability

Summary

This host is running Oracle HTTP Server and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Impact Level: Application

Solution

Upgrade to Oracle HTTP Server 11g or later, For updates refer to http://www.oracle.com/technetwork/middleware/ias/downloads/index.html

Insight

The flaw is caused by improper validation of user-supplied input passed via the 'Expect' header from an HTTP request, which allows attackers to execute arbitrary HTML and script code on the web server.

Affected

Oracle HTTP Server for Oracle Application Server 10g Release 2.

References

http://www.exploit-db.com/exploits/17393/
http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html

Updated on 2017-03-28

Severity

Classification

CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

jHTTPd Directory Traversal Vulnerability
Ecava IntegraXor Account Information Disclosure Vulnerability
Apache HTTP Server 'mod_proxy' Reverse Proxy Information Disclosure Vulnerability
Acritum Femitter Server URI Directory Traversal Vulnerability
Apache HTTP Server mod_proxy_ajp Process Timeout DoS Vulnerability (Windows)

Take action and discover your vulnerabilities