My New Discovery In Oracle E-Business Login Panel That Allowed To Access For All Employees Information's & In Some cases Passwords At More Than 1000 Companies
Hay Hunters , Hello Infosec Community
To Introduce My Self
My Name Orwa Atyat Iam Full Time Bug Bounty Hunter As You Know Me On Twitter (GodFather Orwa)
https://twitter.com/GodfatherOrwa
And Hunting On BugCrowd For Full Time With A Current Rank 66th And On P1 Bugs Current Rank 8th
https://bugcrowd.com/orwagodfather
https://hackerone.com/mr-hakhak
Our Topic Here Is About New Discovery In Oracle E-Business Login Panel That Allowed To Access For All Employees Information’s [Emails , First & Last Name , User Name] & In Some cases Access To Data Base Passwords At More Than 1000 Companies That Used Oracle E-Business Login Panel Service
The Best Part Here It Is Not Common Vulnerability And Exposure (CVE) It Is New Vulnerability Due To This Security Issue, I Was Looking & Test It On Companies Deal With This Panel And It Work 100%
So You Can Check Your Private Programs , Or If You A Customers For Oracle Check Your Panels
As I Reported This And Fixed On About 15 Bounty Programs Like Uber, Amazon, Mastercard , Etc…..
In The Next Section Description & Steps To Reproduce
Description:
So I Discovery This Bugs On Oracle E-Business Login That When You Visit Its Like This
Target/OA_HTML/AppsLocalLogin.jsp
The Bug Here That I Can Create And Get Full Login And Access To This Panel
But When You Go To Register here Its Now Working As This Just For Employees
But You Can Register A Account On This End
Target/OA_HTML/ibeCAcpSSOReg.jsp
NOTE: Till Now This A Known Issue My Discovery After Create Account And Login
After I Found This Bug I Made Shodan Dork To Find All Oracle E-Business Login Panels
“X-ORACLE-DMS-ECID” http.title:”Login” 200
Steps To Reproduce For PII:
Visit The Target And Create Account
Target/OA_HTML/ibeCAcpSSOReg.jsp
And Back And Login With Your Credentials On
Target/OA_HTML/AppsLocalLogin.jsp
Move To Manage Proxies
Run Proxy Report
Get Access For All Employees Info
Emails &First name & Last Name & Username
Add For Employees That Start By a For Example In Search And Search
search for a or b or C Etc..
And You Can Search by Username Or First Or Last Name Or Email
And Will Got All Employees Result's
There Is Definitely More But No Need To Dig Deeper
Steps To Reproduce For Passwords:
Note its not In all Panels Enabled
Back To home Page And Check On
Diagnostic Console If You Can Find It Then Ok With This One
Visit Diagnostic Console
Visit SQL===>
In SQL Statements===>select * from FND_USER===>RUN SQL
Then You Will Get Access For
USER_IDs,
USER_NAMEs,
LAST_UPDATE_DATE,
LAST_UPDATED_BY
CREATION_DATE,
CREATED_BY,
LAST_UPDATE_LOGIN,
ENCRYPTED_FOUNDATION_PASSWORDs
All Of This Findings Was With Hackerx007 As We Collaborate On All Hunt
I Hope you guys have enjoyed the Reading
and hope you learn and found bugs and tweet by that for me that will make my happy
Stay safe dears
Orwa