Open Redirect in Oracle EBS (CVE-2017-3528)

Well this post is a bit late 12 months to be exact! However better late than never right? This is my first CVE I've been awarded while not a super leetfinding it was still a valid 0-Day at the time.

A bit of background for those of you not aware of open redirect issues, an open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs. As a result it is possible to supply arbritary links for the app to redirect to.

This issue in particular affects Oracle E-Business Suite 12.1.3/12.2.x, in order to trigger the exploit the following url can be used:

https://targetsite/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=/\example.com

Where the redirect parameter is vulnerable and if you supply any URL within /\zsec.uk the page will be rendered inside of the site. Which is similar to an iframe or open redirect:

The affected URL and payload have been highlighted above for visual purposes, this has since been patched as of April 2017 in the CPU. The issue also has an entry on Exploit DB here.