Advisory: HTTP Response Splitting in Orace Enterprise Manager (policyViewSettings)Team Shatter Exclusive

Posted February 20, 2013 by Alex Rothacker in Oracle, Security Advisory, Team Shatter Exclusive with 0 comments

Risk Level:
Medium

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc.

Details:
HTTP Response Splitting is a web application vulnerability where input parameters are unsafely used in response headers allowing an attacker to make the server print one (or more) new line sequences in the header section which allows to set arbitrary headers, take control of the body, or break the response into two or more separate responses.  This can be used to perform cross-site scripting, cross-user defacement and web cache poisoning, among other attacks.
The ‘pagename’ parameter of web page /em/console/ecm/policy/policyViewSettings is vulnerable to this kind of attacks.

*Download AppDetectivePRO Now for a FREE Database Security Assessment*

Impact:
An attacker that convinces a valid Oracle Enterprise Manager user to click or open a malicious link can take over the user’s session.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0354

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
https://www.teamshatter.com/topics/general/team-shatter-exclusive/advisory-http-response-splitting-in-orace-enterprise-manager-policyviewsettings/

Timeline:
Vendor Notification – 6/25/2012
Vendor Response – 6/29/2012
Fix – 1/15/2013
Public Disclosure – 1/31/2013

*Download AppDetectivePRO Now for a FREE Database Security Assessment*

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by