Oracle.Single.Sign.On.Information.Disclosure
Description
This indicates a possible exploit of a credential disclosure vulnerability in the sample login form in Oracle 9i Application Server(9iAS) that may allow remote attackers to steal users' passwords via the parameter p_submit_url.
Affected Products
Oracle Oracle HTTP Server 9.2 .0
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 8.1.7
Oracle Oracle9i Application Server 9.0.3 .1
Oracle Oracle9i Application Server 9.0.3
Oracle Oracle9i Application Server 9.0.2 .3
Oracle Oracle9i Application Server 9.0.2 .2
Oracle Oracle9i Application Server 9.0.2 .1
Oracle Oracle9i Application Server 9.0.2 .0.1
Oracle Oracle9i Application Server 9.0.2 .0.0
Oracle Oracle9i Application Server 9.0.2
Oracle Oracle9i Application Server 1.0.2 .2.2
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server 1.0.2 .1s
Oracle Oracle9i Application Server 1.0.2
Impact
Information disclosure.
Recommended Actions
Oracle has released the following solution:
The p_submit_url value in the customized login page can be hard-coded. This will mitigate this issue since it will not be an input value to the page anymore.
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |