Oracle Identity Management 10g (username) XSS POST Injection Vulnerability

Title: Oracle Identity Management 10g (username) XSS POST Injection Vulnerability
Advisory ID: ZSL-2012-5110
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 04.10.2012
Summary
Oracle Identity Management enables organizations to effectively manage the end-to-end lifecycle of user identities across all enterprise resources, both within and beyond the firewall and into the cloud. The Oracle Identity Management platform delivers scalable solutions for identity governance, access management and directory services. This modern platform helps organizations strengthen security, simplify compliance and capture business opportunities around mobile and social access.
Description
Oracle Identity Management suffers from a reflected XSS POST Injection vulnerability when parsing user input to the 'username' parameter via POST method thru '/usermanagement/forgotpassword/index.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
Oracle Corporation - http://www.oracle.com
Affected Version
10g (10.1.4.0.1)
Tested On
Oracle Application Server 10g httpd 10.1.2.2.0
Vendor Status
[25.09.2012] Vulnerability discovered.
[28.09.2012] Contact with the vendor.
[03.10.2012] No response from the vendor.
[04.10.2012] Public security advisory released.
[07.10.2012] After cooperating with the vendor, following knowledge applies: All versions above and including 10.1.4.3 are patched from this issue.
PoC
oim_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Bruce!
References
[1] http://packetstormsecurity.org/files/117110
[2] http://cxsecurity.com/issue/WLB-2012100042
[3] http://www.idglabs.net/news/oracle-identity-management-10g-xss-vulnerability.html
[4] http://xforce.iss.net/xforce/xfdb/79053
Changelog
[04.10.2012] - Initial release
[05.10.2012] - Added reference [3]
[07.10.2012] - Added vendor status and credits.
[11.11.2012] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk