← Advisories

Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities

Medium
Advisory ID
ZSL-2012-5114
Release Date
28 November 2012
Vendor
Oracle Corporation - http://www.oracle.com
Affected Version
8.0 Update 2 Patch3 Build 6.1 (2011-June-8 05:24)
CVE
N/A
Tested On
Oracle-iPlanet-Web-Server/7.0
Summary

Oracle OpenSSO is a complete solution that provides Web access management, federated single sign-on and Web services security in a single, self-contained application.

Description

Oracle OpenSSO suffers from multiple cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
oracleopensso_xss.htmlTXT
Disclosure Timeline
28.10.2012Vulnerabilities discovered.
28.10.2012Initial contact with the vendor.
28.10.2012Vendor responds.
29.10.2012Vendor asks more details.
29.10.2012Sent report to the vendor.
01.11.2012Asked vendor for confirmation.
02.11.2012Vendor is unable to reproduce the issues.
02.11.2012Sent more details to the vendor.
05.11.2012Asked vendor for status update.
15.11.2012Vendor still unable to reproduce the issues.
15.11.2012Sent vendor more details.
21.11.2012Asked vendor for status update.
27.11.2012No reply from the vendor.
28.11.2012Public security advisory released.
10.01.2013After cooperating with the vendor and detailed analysis it is concluded that the vulnerability is void.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://cxsecurity.com/issue/WLB-2012110221
[2]http://www.exploit-db.com/exploits/23004/
[3]http://1337day.com/exploit/19821
[4]http://www.securityfocus.com/bid/56733
[5]http://packetstormsecurity.org/files/118472
[6]http://xforce.iss.net/xforce/xfdb/80368
[7]http://www.osvdb.org/show/osvdb/88052
[8]http://www.osvdb.org/show/osvdb/88053
[9]http://www.scip.ch/en/?vuldb.7060
Changelog
28.11.2012Initial release
29.11.2012Added reference [1], [2], [3] and [4]
30.11.2012Added reference [5] and [6]
03.12.2012Added reference [7] and [8]
12.12.2012Added reference [9]
10.01.2013Added vendor status