[原文]Cross-site scripting (XSS) vulnerability in the htp PL/SQL package for Oracle 9i Application Server (9iAS) allows remote attackers to inject arbitrary web script or HTML via the cbuf parameter to htp.print.
[CNNVD]Oracle 9i Application Server (9iAS) htp PL/SQL包跨站脚本（XSS）漏洞(CNNVD-200212-440)
Oracle 9i Application Server (9iAS)的htp PL/SQL包存在跨站脚本（XSS）漏洞。远程攻击者借助htp.print的cbuf参数注入任意web脚本或者HTML。
Oracle Application Server PL/SQL Module htp.print cbuf Parameter XSS
Remote / Network Access
Loss of Integrity
Oracle 9iAS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'cbuf' variable upon submission to the htp.print function of the PL/SQL HTP Package. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): access to the htp package should be disallowed by adding it as an exclusion entry to the wdbsvr.app file.