Advisory: Persistent Log Out Redirection Vulnerability in Oracle I-Recruitment OA.jsp CVE-2010-2408 Version Affected - 11.5.10.2, 12.0.6, 12.1.3 About: Oracle I-Recruitment Suite Oracle iRecruitment is a web based full-cycle recruiting solution that gives managers, recruiters and candidates the ability to manage every phase of finding, recruiting, hiring, and tracking new employees. It is a part of Oracle E-business suite. Discussion: The Oracle I-Recruitment suite possesses web URL redirection vulnerability in OA.jsp web page. It is possible to redirect a user to malicious domain after logging out of the application. The vulnerable parameter is p_home_url. When a value is passed to this parameter, it becomes persistent in nature and remains active until the session is expired. The vulnerable Link: https://www.example.com/OA_HTML/OA.jsp?_rc=IRC_VIS_HOME_PAGE&_ri=800&p_home_url=http://www.attacker.com An attacker can construct a URL in this way and forces user to redirect to the malicious link after logging out of the application.This type of vulnerability can be exploited by malicious attackers to launch phishing attacks etc The vulnerability exploitation video can be seen at SecNiche Security channel : http://www.youtube.com/watch?v=0lBHeqNBljU Disclosure: The vulnerability was disclosed to Oracle in January 2009 and is patched in October 2010 CPU release. Credit: Aditya K Sood of SecNiche Security Contact: adi_ks [at] secniche.org Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything.