← Advisories

Oracle Identity Management 10g (username) XSS POST Injection Vulnerability

Medium
Advisory ID
ZSL-2012-5110
Release Date
04 October 2012
Vendor
Oracle Corporation - http://www.oracle.com
Affected Version
10g (10.1.4.0.1)
CVE
N/A
Tested On
Oracle Application Server 10g httpd 10.1.2.2.0
Summary

Oracle Identity Management enables organizations to effectively manage the end-to-end lifecycle of user identities across all enterprise resources, both within and beyond the firewall and into the cloud. The Oracle Identity Management platform delivers scalable solutions for identity governance, access management and directory services. This modern platform helps organizations strengthen security, simplify compliance and capture business opportunities around mobile and social access.

Description

Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the 'username' parameter via POST method thru '/usermanagement/forgotpassword/index.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
oim_xss.htmlTXT
Disclosure Timeline
25.09.2012Vulnerability discovered.
28.09.2012Contact with the vendor.
03.10.2012No response from the vendor.
04.10.2012Public security advisory released.
07.10.2012After cooperating with the vendor, following knowledge applies: All versions above and including 10.1.4.3 are patched from this issue.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Bruce!
References
[1]http://packetstormsecurity.org/files/117110
[2]http://cxsecurity.com/issue/WLB-2012100042
[3]http://www.idglabs.net/news/oracle-identity-management-10g-xss-vulnerability.html
[4]http://xforce.iss.net/xforce/xfdb/79053
Changelog
04.10.2012Initial release
05.10.2012Added reference [3]
07.10.2012Added vendor status and credits.
11.11.2012Added reference [4]