My Oracle Support Banner

UPK: Path Manipulation: Relative Path Overwrite Vulnerability In UPK (Doc ID 2814605.1)

Last updated on JULY 03, 2023

Applies to:

User Productivity Kit - Version and later
Information in this document applies to any platform.


The Relative Path Overwrite (RPO) vulnerability, also known as Path-Relative Style Sheet Import
(PRSSI), can be used on some servers to overwrite the path to CSS files when the application
uses relative paths to include them. This attack abuses the path handling features of some web
languages and frameworks, and tricks the browsers into importing HTML content as stylesheets.
The following conditions allow for a successful RPO attack:
• Usage of relative paths to import stylesheets
• Browser uses quirks mode (this may be triggered by using the meta tag or an older doctype)
• Ability to overwrite the relative path


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.