My Oracle Support Banner

UPK: Path Manipulation: Relative Path Overwrite Vulnerability In UPK (Doc ID 2814605.1)

Last updated on OCTOBER 19, 2021

Applies to:

User Productivity Kit - Version 12.1.0.5 and later
Information in this document applies to any platform.

Goal


The Relative Path Overwrite (RPO) vulnerability, also known as Path-Relative Style Sheet Import
(PRSSI), can be used on some servers to overwrite the path to CSS files when the application
uses relative paths to include them. This attack abuses the path handling features of some web
languages and frameworks, and tricks the browsers into importing HTML content as stylesheets.
The following conditions allow for a successful RPO attack:
• Usage of relative paths to import stylesheets
• Browser uses quirks mode (this may be triggered by using the meta tag or an older doctype)
• Ability to overwrite the relative path
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.