Oracle iRecruitment Notes
From Rory.wiki
Oracle iRecruitment Notes
Packaged application from Oracle which sits on the Oracle database/Oracle e-business server stack.
The application defaults to case insensitive username/passwords.
There is a numeric parameter function_id which can be enumerated for easy permissions mapping/checking. Possibility of verbose error messages providing details on what each function_id maps to.
There is diagnostics functionality on one of the function_ids...
one of the session cookie ids reveals the database host name (at the end of the cookie name)
modifying the value of the session cookie may provide verbose Oracle database errors.
Error messages have a plain text injection vulnerability (text is escaped but still allows arbitrary messages to be displayed)
There's a Cross-Site Scripting vuln. in the document preview feature. Previewing a text doc. executes javascript. Interestingly it doesn't work for .DOC files (at least in a basic form). there must be a different interpretation path for DOCs and TXTs ...
Potentially interesting URLs
potentially information about the installation
http(s)://<host>/OA_HTML/OAInfo.jsp
seems to do a nice arbitrary re-direction
http(s)://<host>/OA_HTML/cabo/jsps/frameRedirect.jsp?redirect=http://www.mccune.org.uk
per this http://{domain.com}/OA_HTML/OA.jsp?page=/oracle/apps/per/selfservice/empdir/webui/SimpleSrchPG may reveal inforamtion about company structure
