bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/44141.txt
Offensive Security ed38447971 DB: 2018-02-17 
45 changes to exploits/shellcodes

Microsoft Edge - 'UnmapViewOfFile' ACG Bypass
JBoss Remoting 6.14.18 - Denial of Service
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service

ABRT - raceabrt Privilege Escalation(Metasploit)

Joomla! Component Fastball 1.1.0 < 1.2 - SQL Injection
Joomla! Component Fastball 1.1.0 < 1.2 - 'league' SQL Injection

Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
EPIC MyChart - SQL Injection
TV - Video Subscription - Authentication Bypass SQL Injection
UserSpice 4.3 - Blind SQL Injection
Twig < 2.4.4 - Server Side Template Injection
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting
Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection
Joomla! Component Aist 2.0 - 'id' SQL Injection
Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection
Joomla! Component DT Register 3.2.7 - 'id' SQL Injection
Joomla! Component Fastball 2.5 - 'season' SQL Injection
Joomla! Component File Download Tracker 3.0 - SQL Injection
Joomla! Component Form Maker 3.6.12 - SQL Injection
Joomla! Component Gallery WD 1.3.6 - SQL Injection
Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection
Joomla! Component InviteX 3.0.5 - 'invite_type' SQL Injection
Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection
Joomla! Component jGive 2.0.9 - SQL Injection
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection
Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection
Joomla! Component JS Autoz 1.0.9 - SQL Injection
Joomla! Component JS Jobs 1.1.9 - SQL Injection
Joomla! Component JTicketing 2.0.16 - SQL Injection
Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection
Joomla! Component NeoRecruit 4.1 - SQL Injection
Joomla! Component Project Log 1.5.3 - 'search' SQL Injection
Joomla! Component Realpin 1.5.04 - SQL Injection
Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection
Joomla! Component Solidres 2.5.1 - SQL Injection
Joomla! Component Staff Master 1.0 RC 1 - SQL Injection
Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection
Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection
Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection
Joomla! Component Saxum Astro 4.0.14 - SQL Injection
Joomla! Component Saxum Numerology 3.0.4 - SQL Injection
Joomla! Component SquadManagement 1.0.3 - SQL Injection
Joomla! Component Saxum Picker 3.2.10 - SQL Injection
Front Accounting ERP 2.4.3 - Cross-Site Request Forgery
PHIMS - Hospital Management Information System - 'Password' SQL Injection
PSNews Website 1.0.0 - 'Keywords' SQL Injection
Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting
2018-02-17 05:01:49 +00:00

75 lines
No EOL
3.1 KiB
Text
Raw Blame History

# Exploit Title: Oracle Primavera P6 Enterprise Project Portfolio Management HTTP Response Splitting
# Date: 16-02-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://www.oracle.com
# Affected Software: Oracle Primavera P6 Enterprise Project Portfolio Management 8.3, 8.4, 15.1, 15.2, 16.1
# Tested on: Oracle Primavera P6 Enterprise Project Portfolio Management (Build: 15.1.0.0 (B0163) 14.03.2015.1305) / Oracle WebLogic 12.1.3.0.0
# CVE: CVE-2017-10046
# Category: Web Application
Overview
--------
The Oracle Primavera Project Portfolio Management application is vulnerable to HTTP
Response Splitting.
The application takes the user's input from the languageCode parameter and includes
it in the ORA-PWEB_LANGUAGE_1111 cookie value within the "Set-Cookie" HTTP Response
header. The application allows an attacker to inject LF (line feed) characters and
break out of the headers into the message body and write arbitrary content into the
application's response.
As a result, this could enable an attacker to perform Cross-Site Scripting attacks
(XSS), redirect victims to malicious websites, and poison web and browser caches.
Details
-------
The exploit can be demonstrated as follows:
1. A malicious attacker crafts the following URL:
/p6/LoginHandler?languageCode=runesec%0a%0a%0a<script>alert(document.cookie)</script>%0a
2. The attacker sends the above URL to an Oracle Primavera Project Portfolio Management application user.
3. The "malicious" JavaScript payload will execute in the victim's browser and display a popup box showing the victim's cookies.
Please note that the payload used above is for demonstration purposes only. A real attacker would try to steal the user's cookies
or perform other malicious actions.
The above exploit was tested against the following components:
Application: Oracle Primavera (Build: 15.1.0.0 (B0163) 14.03.2015.1305)
Underlying Infrastructure: Oracle WebLogic 12.1.3.0.0
Impact
------
An attacker might be able to steal the user's session cookie and/or credentials.
As a result, the attacker would be able to gain unauthorized access to the application.
Further, an attacker might be able to poison web and/or browser caches in an attempt
to perform a persistent attack.
Mitigation
----------
Apply Critical Patch Update (CPU) of July 2017 - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
References
----------
https://blog.runesec.com/2018/02/15/oracle-primavera-http-response-splitting/
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.cvedetails.com/cve/CVE-2017-10046/
https://nvd.nist.gov/vuln/detail/CVE-2017-10046
https://www.owasp.org/index.php/HTTP_Response_Splitting
https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting
Timeline
--------
24 April 2017 - Oracle informed about the issue
July 2017 - Oracle released a patch
15 February 2018 - Exploit publicly disclosed
Reference in a new issue View git blame Copy permalink