Oracle I-Recruitment Redirection

`Advisory: Persistent Log Out Redirection Vulnerability in Oracle  
I-Recruitment OA.jsp  
  
CVE-2010-2408  
  
Version Affected - 11.5.10.2, 12.0.6, 12.1.3  
  
About: Oracle I-Recruitment Suite  
Oracle iRecruitment is a web based full-cycle recruiting solution that  
gives managers, recruiters and candidates the ability to manage every  
phase of finding, recruiting, hiring, and tracking new employees. It is a  
part of Oracle E-business suite.  
  
Discussion:  
The Oracle I-Recruitment suite possesses web URL redirection vulnerability  
in OA.jsp web page. It is possible to redirect a user to malicious domain  
after logging out of the application. The vulnerable parameter is  
p_home_url. When a value is passed to this parameter, it becomes  
persistent in nature and remains active until the session is expired.  
The vulnerable Link:  
https://www.example.com/OA_HTML/OA.jsp?_rc=IRC_VIS_HOME_PAGE&_ri=800&p_home_url=http://www.attacker.com  
  
An attacker can construct a URL in this way and forces user to redirect to  
the malicious link after logging out of the application.This type of  
vulnerability can be exploited by malicious attackers to launch phishing  
attacks etc  
  
The vulnerability exploitation video can be seen at SecNiche Security  
channel : http://www.youtube.com/watch?v=0lBHeqNBljU  
  
Disclosure:  
The vulnerability was disclosed to Oracle in January 2009 and is patched  
in October 2010 CPU release.  
  
Credit:  
Aditya K Sood of SecNiche Security  
  
Contact:  
adi_ks [at] secniche.org  
  
Disclaimer  
The information in the advisory is believed to be accurate at the time of  
publishing based on currently available information. Use of the  
information constitutes acceptance for use in an AS IS condition. There is  
no representation or warranties, either express or implied by or with  
respect to anything.  
  
  
  
`