Vulnerabilities impacting Oracle iPlanet Web Server could result in data leakage, phishing

Vendors says it will not release a security patch as affected product has already reached end-of-life

Researchers at cyber security firm Nightwatch Security have uncovered two vulnerabilities in Oracle's iPlanet Web Server that could allow attackers to steal sensitive data and inject external images onto web pages to facilitate phishing.

According to the researchers, these bugs exist in the web admin console of iPlanet version 7, which is no longer supported by Oracle.

The first flaw, indexed as CVE-2020-9315, enables an unauthenticated individual to read any page within the admin console simply by replacing an admin GUI URL for the target page. This could result in exposure of confidential data, such as JVM configuration, encryption keys and other details.

The second bug, indexed as CVE-2020-9314, allows hackers to use the 'productNameSrc' parameter in the admin console to inject external images onto web pages.

"When used in combination with the 'productNameHeight' and 'productNameWidth' parameters, this can be used to inject an external image into a site to facilitate phishing," the researchers warn.

The vulnerability exists due to an incomplete fix for an older vulnerability CVE-2012-0516 in Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0, which allows remote attackers to affect integrity, confidentiality and availability via unknown vectors related to admin console.

The earlier fix for CVE-2012-0516 added validation against XSS issues but did not include validation to ensure that an external image is not loaded.

Nightwatch says it reported the bugs to Oracle earlier this year but, the company said that it doesn't plan to issue security patches because the affected product iPlanet Web Server 7.0.x has reached end-of-life and is no longer supported.

It is not yet known if earlier versions are affected.

Users are advised to take other security measures to mitigate the vulnerabilities. They should consider moving to a supported version of the platform or restrict network access to the admin console from the internet.

Last year, researchers from Knownsec 404 warned about a "highly critical" zero-day flaw in Oracle WebLogic server, which enabled hackers to hijack servers and execute arbitrary commands remotely.

At the time, hackers were exploiting the bug to install Sodinokibi ransomware on servers.

The vulnerability was eventually patched by Oracle in April 2019.