UPK: Path Manipulation: Relative Path Overwrite Vulnerability In UPK (Doc ID 2814605.1)

Last updated on OCTOBER 19, 2021

Applies to:

User Productivity Kit - Version 12.1.0.5 and later
Information in this document applies to any platform.

Goal

The Relative Path Overwrite (RPO) vulnerability, also known as Path-Relative Style Sheet Import
(PRSSI), can be used on some servers to overwrite the path to CSS files when the application
uses relative paths to include them. This attack abuses the path handling features of some web
languages and frameworks, and tricks the browsers into importing HTML content as stylesheets.
The following conditions allow for a successful RPO attack:
• Usage of relative paths to import stylesheets
• Browser uses quirks mode (this may be triggered by using the meta tag or an older doctype)
• Ability to overwrite the relative path

Solution

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

Goal

Solution

References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

UPK: Path Manipulation: Relative Path Overwrite Vulnerability In UPK (Doc ID 2814605.1)

Applies to:

Goal

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!