| VID |
21200 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
Oracle allows extensions to the built in xslt functions using the xmlns "http://www.oracle.com/XSL/Transform/java/". Using this namespace it is possible to instantiate java objects and execute their methods. |
| Recommendation |
Until Oracle makes changes so that an action set on a specific XSQL servlet (default behaviour) does not operate as the stylesheet provided by the client, this problem must be managed as follows.
Add allow-client-style='no' to the document element of all xsql pages on the corresponding web server.
This checkup item has been tested using an example page called airport.xsql. This example page is provided along with the Oracle XSQL servlet. As most example codes may have a problem, they must be eliminated from the production server. |
| Related URL |
CVE-2001-0126 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
5905 (ISS) |
|
