Oracle iPlanet: Researchers Found Data Leak And Phishing In Web Servers
Researchers dig deep and found some vulnerabilities and data leaks in web servers of Oracle iPlanet. The flaws discovered as CVE-2020-9315 and CVE-2020-9314. Both of the disclosed security breaches allow exposure of sensitive data. After all, the issues were found in 2019 on January 19. It was in the administration console of Oracle's server management system.
The iPlanet Security Breaches Done By The Two Flaws
The first security flaw which is CVE-2020-9315 allowed any pages to be read in the console. After all, it was possible just by replacing the admin GUI URL for the target page. According to researchers, this can be a reason for the leak of sensitive data. Beyond that, it also included encryption keys and configuration details.
CVE-2020-9314 was the second security flaw discovered. It discovered in the console at “productNameSrc”. This parameter was able to abused with “productNameHeight” and “productNameWidth”. This breach happened because of an incomplete fix for another flaw CVE-2020-9316.
CVE-2020-9316 is an unspecified security issue that has XSS validation problems. After all, these parameters abused by injecting images into the domain for phishing and social engineering. However, this does not mean that the earlier versions of the applications are affected. It may be just the Oracle iPlanet Web Server 7.0.x is only affected.
However, there are no plans for fixing these issues. Because the iPlanet Web Server 7.0.x is no longer supported in Oracle. So, the company does not care about any of the future problems. That means if any companies use this old version. They better restrict network access or make an upgrade is the only thing to do.