Security Holes in Oracle’s Demantra

Wednesday, March 5, 2014 @ 05:03 PM gHale

There were four security vulnerabilities in Oracle’s Demantra, part of the Value Chain Planning suite of software.

Security research firm Portcullis discovered the security flaws, which could allow an attacker to steal sensitive information, carry out phishing attacks, and change content within the application itself, among other types of attack.

Enterprises Aware, but Remain Vulnerable
DDoS Attacks: Smarter, Faster, Severe
Stronger Voice Needed with Security Policies
Report: Security Needs Proactive Approach

The first vulnerability, which London-based Portcullis called “Stored cross-site scripting in Oracle Demantra,” enables attackers to obtain active HTML or script code executed in an authenticated user’s browser.

“Cross-site scripting may be used to perform attacks such as session hijacking by invoking the user’s browser to send information stored in their cookies (such as a session identification token) to an arbitrary location controlled by the attacker,” said Portcullis Chief Technology Officer Oliver Gruskovnjak.

“Furnished with this information the attacker could immediately access the site, masquerading as the authenticated user who viewed the page containing the malicious code. The attacker would then be able to perform actions as the authorized user, subject to their role, which could include viewing sensitive data, modifying profile information and making transactions,” he said.

The second vulnerability, “SQL injection in Oracle Demantra,” enables an attacker to manipulate queries sent to the database.

Groskovnjak said this could result in hackers being able to extract sensitive information, including (but not limited to) authentication credentials and personal details.

“Such information could be sold by the attacker to other malicious individuals, used in other attacks (as the same password is often used across systems) or released publicly to damage the organisation’s reputation,” Gruskovnjak said.

Hackers could also use this flaw to modify content within the application.

“If this was possible, the attacker could add malicious code to the application, which could then be used to deliver malware or exploit issues within client browsers,” Groskovnjak said.

The third vulnerability, “Reflective cross-site scripting in Oracle Demantra,” enables attackers to get active HTML or script code executed in an authenticated user’s browser.

The final vulnerability is, “Arbitrary file retrieval in Oracle Demantra.” Portcullis discovered a Local File Include (LFI) vulnerability. A file inclusion vulnerability occurs when a file from the target system injects into a page on the attacked server page.

Groskovnjak said the impact can differ based on the exploitation and the read permission of the web server user.

Depending on these factors, Groskovnjak said an attacker might carry out one or more of the following attacks:
• Harvest useful information from the web.xml configuration file.
• Download the whole web application source code like the vulnerable page itself.

Leave a Reply

You must be logged in to post a comment.