I came across an Oracle eBusiness video demonstrating a full step-by-step reproduction of an attack leading to a remote take over of the administrative interfaces of the Oracle eBusiness system. The vulnerabilities were discovered during a penetration test performed by Hacktics' experts. 

See the notes and interesting video here. 

In my opinion, besides the vulnerabilities, there is a more interesting lesson that we can learn from the researchers comments. The team discovered that different releases of Oracle eBusiness Suite implemented some code-based security solutions to mitigate a certain XSS vulnerability. But Oracle have failed to prevent EVERY possible instance of this XSS vulnerability. I am sure that the developers felt that they were solving the root cause, but in fact they only made it worse since the naïve attacker indeed will not be able to use simple XSS script, but the more sophisticated attacker will still know how to launch a successful XSS attack.

My assumption here is that someone at the product development team at  Oracle discovered the XSS vulnerability (might be using a scanner or manual code review) and “fixed” the problem using “secure” programming, missing some of the other attack vectors, that SecureSphere could easily prevent.

See below from the advisory:

It is important to note that our testing has indicated that different versions have different mitigation levels of this vulnerability, requiring, in some situations, utilizing XSS evasion techniques to overcome certain input validation and sanitation mechanisms:

• For earlier versions, injecting a simple <SCRIPT> suffices:

<SCRIPT>alert(�XSS')<SCRIPT>

• Some versions limit the permitted characters, and thus require the tester to inset Java-script without utilizing tags, by injecting a script into the text box as follows:

");alert('XSS');//

• Later versions appear to also enforce server-side length restrictions on the vulnerable parameters. As a result, multiple separate injections are required to achieve script execution, such as:

");/*

*/alert/*

*/(/*

*/�XSS'/*

*/);//