Twenty Year Anniversary

Oracle Primavera P6 Enterprise Project Portfolio Management HTTP Response Splitting

Oracle Primavera P6 Enterprise Project Portfolio Management HTTP Response Splitting
Posted Feb 17, 2018
Authored by Marios Nicolaides

Oracle Primavera P6 Enterprise Project Portfolio Management suffers from an HTTP response splitting vulnerability.

tags | exploit, web
advisories | CVE-2017-10046
MD5 | a5494c501980cc768bbb9e16ba3de436

Oracle Primavera P6 Enterprise Project Portfolio Management HTTP Response Splitting

Change Mirror Download
# Exploit Title: Oracle Primavera P6 Enterprise Project Portfolio Management HTTP Response Splitting
# Date: 16-02-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://www.oracle.com
# Affected Software: Oracle Primavera P6 Enterprise Project Portfolio Management 8.3, 8.4, 15.1, 15.2, 16.1
# Tested on: Oracle Primavera P6 Enterprise Project Portfolio Management (Build: 15.1.0.0 (B0163) 14.03.2015.1305) / Oracle WebLogic 12.1.3.0.0
# CVE: CVE-2017-10046
# Category: Web Application

Overview
--------

The Oracle Primavera Project Portfolio Management application is vulnerable to HTTP
Response Splitting.

The application takes the user's input from the languageCode parameter and includes
it in the ORA-PWEB_LANGUAGE_1111 cookie value within the "Set-Cookie" HTTP Response
header. The application allows an attacker to inject LF (line feed) characters and
break out of the headers into the message body and write arbitrary content into the
application's response.

As a result, this could enable an attacker to perform Cross-Site Scripting attacks
(XSS), redirect victims to malicious websites, and poison web and browser caches.


Details
-------

The exploit can be demonstrated as follows:
1. A malicious attacker crafts the following URL:
/p6/LoginHandler?languageCode=runesec%0a%0a%0a<script>alert(document.cookie)</script>%0a
2. The attacker sends the above URL to an Oracle Primavera Project Portfolio Management application user.
3. The "malicious" JavaScript payload will execute in the victim's browser and display a popup box showing the victim's cookies.

Please note that the payload used above is for demonstration purposes only. A real attacker would try to steal the user's cookies
or perform other malicious actions.

The above exploit was tested against the following components:
Application: Oracle Primavera (Build: 15.1.0.0 (B0163) 14.03.2015.1305)
Underlying Infrastructure: Oracle WebLogic 12.1.3.0.0


Impact
------

An attacker might be able to steal the user's session cookie and/or credentials.
As a result, the attacker would be able to gain unauthorized access to the application.
Further, an attacker might be able to poison web and/or browser caches in an attempt
to perform a persistent attack.


Mitigation
----------

Apply Critical Patch Update (CPU) of July 2017 - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html


References
----------
https://blog.runesec.com/2018/02/15/oracle-primavera-http-response-splitting/
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.cvedetails.com/cve/CVE-2017-10046/
https://nvd.nist.gov/vuln/detail/CVE-2017-10046
https://www.owasp.org/index.php/HTTP_Response_Splitting
https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting


Timeline
--------

24 April 2017 - Oracle informed about the issue
July 2017 - Oracle released a patch
15 February 2018 - Exploit publicly disclosed

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    9 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    34 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close