APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

wwv_flow security issues.

memoranDec 14 2009 — edited Jan 29 2011

With the wwv_flow command within apex, are there security issues with the following:

.show: Change 'p_widget_name's value to 'worksheet>%22%27><img%20src%3d%22javascript:alert(51733)%22>'
The test successfully embedded a script in the response, and it will be executed once the page is loaded in the user's
browser. This means the application is vulnerable to Cross-Site Scripting.

.show: Change parameter 'p_widget_name's value to
'worksheet%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%3E'
The test response contained a link to the URL "http://demo.testfire.net, which proves that the Phishing attempt was
successful.

.accept: Is there security in place to protect from sql injection?

The same with temp variables x01..x10?

Thanks,

Mark

Locked Post

New comments cannot be posted to this locked post.

Locked on Feb 26 2011

Added on Dec 14 2009

#apex, #apex-discussions

2 comments

1,477 views