Oracle Access Manager (OAM) Vulnerabilities

Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid) provides a full range of identity administration and security functions, that include Web single sign-on; user self-service and self-registration; sophisticated workflow functionality; auditing and access reporting; policy management; dynamic group management; and delegated administration.

The main file of OAM is “obrareq.cgi”.

However, “obrareq.cgi” doesn’t authenticate its paramters properly. So attackers can do Attacks such as DOS and Information Disclosure

When a user clicks the URLs above before login, the “Login” page appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage controlled by an attacker or to any file in Oracle.

 

 

 

Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

The vulnerabilities fixed by Oracle in the following update:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

CVE Details:
CVE-2014-2404: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2404
CVE-2014-2452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2452


Reporter:

WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University. He got his bachelar degree of Mathematics from University of Science and Technology of China.

 

 

 

 

http://user.qzone.qq.com/137372921

 

 

Leave a comment

你的電子郵件位址並不會被公開。 必要欄位標記為 *

你可以使用這些 HTML 標籤與屬性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>