Oracle FCDB <= 10.5 Cross Site Scripting Vulnerability

2017.10.28
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Title: Cross Site Scripting - Oracle Flex cube Direct Banking Application 10.5 Application: Oracle FCDB Versions Affected: <= 10.5 Vendor URL: http://www.oracle.com/ Software URL: http://www.oracle.com/us/products/applications/financial-services/flexcube/index.html Discovered by: Ajay Gowtham Tested on: Windows 8.1 Pro Bugs: Reflected XSS Date: 24-Oct-2017 ------------------------------------------------------------- Oracle FCDB <= 10.5 Cross Site Scripting Vulnerability ------------------------------------------------------------- Overview of the Software: ------------------------- Address Customer Needs, Empower Knowledge Workers and Improve Agility Provides a comprehensive, integrated, interoperable, and modular solution that enables banks to manage evolving customer expectations [-] Affected Versions: All versions > Oracle Flex cube Direct Banking Software 10.5 Note: The payload will bypass the most of the WAFs running behind the application. Successfully tested on Incapsula WAF. [-] Vulnerability Description: The vulnerable code can be triggered through the'document.frmmain.fldbranchlocation.value='PAYLOAD HERE';' method defined for atm_locator module. 448) </script><!--[if lte IE 7]><link rel="stylesheet" href="css/L_COLPAL1/eng_01.css" type="text/css" /><![endif]--><!--[if (!IE) | (gte IE 8)]--><link 449) rel="stylesheet" href="css/L_COLPAL1/eng_01.uri.css" type="text/css"><!--[endif]--><meta name="viewport" content="width=device-width; initial-scale=1; minimal-450) ui"><script type="text/JavaScript" language="JavaScript"> 451) function initialize (){ 452) 453) if(document.frmmain.fldbranchlocation.value==''){ 454) document.frmmain.fldbranchlocation.value='PAYLOAD HERE'; 455) } 456) 457) } 458) function fnSearch () { 459) /* 460) if(document.frmmain.fldbranchlocation.value==''){ 461) alert("Invalid location"); 462) return; 463) }*/ 464) document.frmmain.fldRequestId.value = "RRLOB02"; 465) document.frmmain.fldLangId.value = 'eng'; 466) document.frmmain.fldDeviceId.value = '01' ; 467) document.frmmain.submit(); 468) return; 469) 470) } The vulnerability exists because this method is using the unsanitized function with a value that can be arbitrarily manipulated by a user through the user interface. This can be exploited to inject arbitrary objects into the application scope and could allow authenticated attackers to execute arbitrary code via specially crafted serialized objects. Successful exploitation of this vulnerability requires a user account login. PoC: https://drive.google.com/drive/folders/0B2p8gG1WpnRnaVA2N2FHNDZkeXM?usp=sharing [-] Solution: Update to version 12.5 or later. Timeline: 07.07.2017 - Vendor notified 12.09.2017 - Vendor response: "no time to fix" 27.09.2017 - Vendor notified of possible disclosure (no answer) 24.10.2017 - Public disclosure


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top