Vulners
Lucene search
Oracle FCDB <= 10.5 Cross Site Scripting Vulnerability
Title: Cross Site Scripting - Oracle Flex cube Direct Banking Application 10.5
Application: Oracle FCDB
Versions Affected: <= 10.5
Vendor URL: http://www.oracle.com/
Software URL: http://www.oracle.com/us/products/applications/financial-services/flexcube/index.html
Discovered by: Ajay Gowtham
Tested on: Windows 8.1 Pro
Bugs: Reflected XSS
Date: 24-Oct-2017
-------------------------------------------------------------
Oracle FCDB <= 10.5 Cross Site Scripting Vulnerability
-------------------------------------------------------------
Overview of the Software:
-------------------------
Address Customer Needs, Empower Knowledge Workers and Improve Agility Provides a comprehensive, integrated, interoperable, and modular solution that enables banks to manage evolving customer expectations
[-] Affected Versions:
All versions > Oracle Flex cube Direct Banking Software 10.5
Note: The payload will bypass the most of the WAFs running behind the application. Successfully tested on Incapsula WAF.
[-] Vulnerability Description:
The vulnerable code can be triggered through the'document.frmmain.fldbranchlocation.value='PAYLOAD HERE';' method defined for atm_locator module.
448) </script><!--[if lte IE 7]><link rel="stylesheet" href="css/L_COLPAL1/eng_01.css" type="text/css" /><![endif]--><!--[if (!IE) | (gte IE 8)]--><link 449) rel="stylesheet" href="css/L_COLPAL1/eng_01.uri.css" type="text/css"><!--[endif]--><meta name="viewport" content="width=device-width; initial-scale=1; minimal-450) ui"><script type="text/JavaScript" language="JavaScript">
451) function initialize (){
452)
453) if(document.frmmain.fldbranchlocation.value==''){
454) document.frmmain.fldbranchlocation.value='PAYLOAD HERE';
455) }
456)
457) }
458) function fnSearch () {
459) /*
460) if(document.frmmain.fldbranchlocation.value==''){
461) alert("Invalid location");
462) return;
463) }*/
464) document.frmmain.fldRequestId.value = "RRLOB02";
465) document.frmmain.fldLangId.value = 'eng';
466) document.frmmain.fldDeviceId.value = '01' ;
467) document.frmmain.submit();
468) return;
469)
470) }
The vulnerability exists because this method is using the unsanitized function with a value that can be arbitrarily manipulated by a user through the user interface. This can be exploited to inject arbitrary objects into the application scope and could allow authenticated attackers to execute arbitrary code via specially crafted serialized objects. Successful exploitation of this vulnerability requires a user account login.
PoC: https://drive.google.com/drive/folders/0B2p8gG1WpnRnaVA2N2FHNDZkeXM?usp=sharing
[-] Solution:
Update to version 12.5 or later.
Timeline:
07.07.2017 - Vendor notified
12.09.2017 - Vendor response: "no time to fix"
27.09.2017 - Vendor notified of possible disclosure (no answer)
24.10.2017 - Public disclosure
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2017 00:00Current
7.1High risk
Vulners AI Score7.1