-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TeamSHATTER Security Advisory
Oracle Enterprise Manager Segment Advisor Arbitrary URL redirection/phishing
vulnerability
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4; 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Qinglin Jiang of
Application Security Inc.
Details:
Oracle Enterprise Manager Database Control Segment Advisor page is vulnerable
to an arbitrary URL redirection/phishing vulnerability. An attacker may inject
an arbitrary URL into the web application and force the application to
redirect to it without any validation. This vulnerability can be used in
phishing attacks to trick legitimate users to visit malicious sites without
realizing it. The affected link and parameter are
/em/console/database/xdb/
Impact:
A remote attacker can redirect a legitimate user to a arbitrary URL, which can
result in phishing attacks, trojan distribution, and spamming.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2012-3219
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 4/26/2012
Vendor Response - 5/3/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmbNsACgkQRx91im
KDEAn2HapYPDObVhhrVtIQoHXBbC6I
=BIt8
-----END PGP SIGNATURE-----
Courtesy: securityfocus.com
Hash: SHA1
TeamSHATTER Security Advisory
Oracle Enterprise Manager Segment Advisor Arbitrary URL redirection/phishing
vulnerability
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4; 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Qinglin Jiang of
Application Security Inc.
Details:
Oracle Enterprise Manager Database Control Segment Advisor page is vulnerable
to an arbitrary URL redirection/phishing vulnerability. An attacker may inject
an arbitrary URL into the web application and force the application to
redirect to it without any validation. This vulnerability can be used in
phishing attacks to trick legitimate users to visit malicious sites without
realizing it. The affected link and parameter are
/em/console/database/xdb/
Impact:
A remote attacker can redirect a legitimate user to a arbitrary URL, which can
result in phishing attacks, trojan distribution, and spamming.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this vulnerability.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2012-3219
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 4/26/2012
Vendor Response - 5/3/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmbNsACgkQRx91im
KDEAn2HapYPDObVhhrVtIQoHXBbC6I
=BIt8
-----END PGP SIGNATURE-----
Courtesy: securityfocus.com
No comments:
Post a Comment