Title: Cross Site Scripting - Oracle Flex cube Direct Banking Application 10.5
Application: Oracle FCDB
Versions Affected: <= 10.5
Vendor URL: http://www.oracle.com/
Software URL: http://www.oracle.com/us/products/applications/financial-services/flexcube/index.html
Discovered by: Ajay Gowtham
Tested on: Windows 8.1 Pro
Bugs: Reflected XSS
Date: 24-Oct-2017
-------------------------------------------------------------
Oracle FCDB <= 10.5 Cross Site Scripting Vulnerability
-------------------------------------------------------------
Overview of the Software:
-------------------------
Address Customer Needs, Empower Knowledge Workers and Improve Agility Provides a comprehensive, integrated, interoperable, and modular solution that enables banks to manage evolving customer expectations
[-] Affected Versions:
All versions > Oracle Flex cube Direct Banking Software 10.5
Note: The payload will bypass the most of the WAFs running behind the application. Successfully tested on Incapsula WAF.
[-] Vulnerability Description:
The vulnerable code can be triggered through the'document.frmmain.fldbranchlocation.value='PAYLOAD HERE';' method defined for atm_locator module.
448) </script><!--[if lte IE 7]><link rel="stylesheet" href="css/L_COLPAL1/eng_01.css" type="text/css" /><![endif]--><!--[if (!IE) | (gte IE 8)]--><link 449) rel="stylesheet" href="css/L_COLPAL1/eng_01.uri.css" type="text/css"><!--[endif]--><meta name="viewport" content="width=device-width; initial-scale=1; minimal-450) ui"><script type="text/JavaScript" language="JavaScript">
451) function initialize (){
452)
453) if(document.frmmain.fldbranchlocation.value==''){
454) document.frmmain.fldbranchlocation.value='PAYLOAD HERE';
455) }
456)
457) }
458) function fnSearch () {
459) /*
460) if(document.frmmain.fldbranchlocation.value==''){
461) alert("Invalid location");
462) return;
463) }*/
464) document.frmmain.fldRequestId.value = "RRLOB02";
465) document.frmmain.fldLangId.value = 'eng';
466) document.frmmain.fldDeviceId.value = '01' ;
467) document.frmmain.submit();
468) return;
469)
470) }
The vulnerability exists because this method is using the unsanitized function with a value that can be arbitrarily manipulated by a user through the user interface. This can be exploited to inject arbitrary objects into the application scope and could allow authenticated attackers to execute arbitrary code via specially crafted serialized objects. Successful exploitation of this vulnerability requires a user account login.
PoC: https://drive.google.com/drive/folders/0B2p8gG1WpnRnaVA2N2FHNDZkeXM?usp=sharing
[-] Solution:
Update to version 12.5 or later.
Timeline:
07.07.2017 - Vendor notified
12.09.2017 - Vendor response: "no time to fix"
27.09.2017 - Vendor notified of possible disclosure (no answer)
24.10.2017 - Public disclosure