[NEWS] Security Issue Found with Customized Login Pages for Oracle SSO

From: SecuriTeam (support_at_securiteam.com)
Date: 03/31/04

  • Next message: SecuriTeam: "[UNIX] MPlayer Encoded URL Heap Overflow"
    To: list@securiteam.com
    Date: 31 Mar 2004 10:26:11 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Security Issue Found with Customized Login Pages for Oracle SSO
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in Oracle SSO's mechanism allows a customized Sign On page
    to be built by administrators. A vulnerability in the sample pages (used
    by most administrators) allows an attacker to send a special URL to the
    victim (Oracle user) that once it is opened, all sensitive information
    (Usercode, Password, etc) can be made to travel to the attacker.

    DETAILS

    Oracle has a Single Sign-on application called OSSO.

    Among others, it has a web based login form. This form can be customized
    as explained in "Oracle 9iAS Single Sign-on Administrators Guide, Release
    2(9.0.2), Part No. A96115-01". In this document, a sample login form is
    published (section 8).

    The problem with this login form is that unauthorized persons are able to
    gain access to the supplied usercode and password. This is done by
    tricking a valid user into opening a URL that is the real URL of the
    customized SSO login page with a modified URL parameter.

    The problem is that the attack makes use of the real login page. Thus, if
    users check host certificates only, they will not be able to detect that
    they are being tricked. Also, after logging in, they can be redirected to
    the proper application on the intended system to hide the fact that
    usercode and password have been stolen.

    Note that the problem is a design problem in the way custom login pages
    must be implemented, not a problem with a sample script.

    Impact:
    Users can accidentally reveal their SSO usercode/password combination to
    unauthorized persons.

    Vendor response:
    Oracle came with the following solution:

    The p_submit_url value in the customized login page can be hard-coded.
    This will mitigate this issue since it will not be an input value to the
    page anymore. The p_submit_url URL value in the 902 SSO server is in the
    following format:
    http(s)://sso_host:port/pls/orasso/orasso.wwsso_app_admin.ls_login

    Recommendation:
    We recommend implementing the proposed solution.

    Of course, we hope that Oracle will update its documentation as well such
    that the p_submit_url parameter will be removed from all example code.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:advisories@madison-gurkha.com> Guido van Rooij (Madison Gurkha)
    and Arjan de Vet (Madison Gurkha).

    The original article can be found at:
    <http://www.madison-gurkha.com/advisories/MG-2004-01.txt>
    http://www.madison-gurkha.com/advisories/MG-2004-01.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] MPlayer Encoded URL Heap Overflow"

    Relevant Pages

    • [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were discovered in the (Oracle database server ... password is required to exploit this vulnerability. ...
      (Securiteam)
    • [EXPL] Oracle Command Line Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A locally exploitable buffer overflow has been found in the 'oracle' ... restricted sections of the database, ... 'print "A"x9850'` Segmentation fault ...
      (Securiteam)
    • [NEWS] Oracle Forms SQL Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... part of the Oracle Developer Suite 10g". ... All Oracle Forms applications are by default vulnerable to SQL Injection. ... The following statement sends the result of the SQL statement: ...
      (Securiteam)
    • [EXPL] Oracle (extproc) Local/Remote Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The attached PL/SQL code exploits the Oracle extproc directory traversal ... -- allows remote attackers to access arbitrary libraries outside of the ... create or replace package oracmd32 as ...
      (Securiteam)
    • [UNIX] Benchmark Designs WHM Autopilot Backdoor Allows Plaintext Credential Leakage
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... manages CPanel and WHM accounts, including account creation, maintenance, ... Due to a bug in client login code and the builtin login backdoor it is ...
      (Securiteam)