Tuesday 10 June 2014

Oracle Access Manager (OAM) Vulnerabilities

 Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid) provides a full range of identity administration and security functions, that include Web single sign-on; user self-service and self-registration; sophisticated workflow functionality; auditing and access reporting; policy management; dynamic group management; and delegated administration.
The main file of OAM is “obrareq.cgi”.


However, I found “obrareq.cgi” doesn’t authenticate its paramters properly. So attackers can do Attacks such as Dos and Information Disclosure


When a user clicks the URLs above before login, the “Login” page appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage controlled by an attacker or to any file in Oracle.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


The vulnerabilities fixed by Oracle in the following update:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html




More Details:
http://www.tetraph.com/blog/2014/06/oracle-access-manager-oam-vulnerabilities/



Posted by:
WANG Jing (王晶). a PhD student in mathematics from Nanyang Technological University. He obtained his bachelor's degree in mathematics at University of Science and Technology of China.

http://www.tetraph.com/wangjing/




http://www.tetraph.com/wangjing/chinese.html
http://user.qzone.qq.com/137372921

No comments:

Post a Comment