14 DAY TRIAL // Independent security researcher Abdelmorite Eljoaydi, aka Jigsaw, has reported several web vulnerabilities to Oracle over the past weeks. The company has addressed some of them with the recently released April 2013 Critical Patch Update, but some of them still remain unfixed.
The expert has told Softpedia that he has identified one open redirect issue, a “filter bypass” cross-site scripting (XSS) vulnerability, 2 reflected XSS flaws, one Blind SQL Injection, SQL Injection vulnerabilities in PL/SQL procedures that could lead to privilege escalation, and an unspecified security hole in the “search” component of the Oracle Application Server.
Of these flaws, only the open redirect and the reflected XSS issues have been addressed. Oracle has credited the researcher for his work as part of the company’s On-Line Presence Security program.
On the other hand, the other vulnerabilities, many of which have already been confirmed by Oracle, are still unfixed.
“The dangers of these kind of vulnerabilities are very critical because they cause the compromise of the system confidentiality, compromise system integrity. A local or network attacker could exploit the [privilege escalation] vulnerability to gain Oracle DBA privileges, so it's a serious threat regarding Oracle,” the researcher explained.
“I've reported to them the issues since 4 March and I’m still interacting with the Global Security Information Team until they fix the flaws. In addition, I've briefed them about various SQL Injection issues, but they’re still working on a code fix,” he added.
In addition to Oracle, the expert claims to be collaborating with Adobe and Google on addressing some vulnerabilities in their systems.
Here is a video POC of the open redirect vulnerability identified by Abdelmorite Eljoaydi:
