Oracle Access Manager (formerly known as Oblix NetPoint and
Oracle COREid) provides a full range of identity administration and
security functions, that include Web single sign-on; user self-service
and self-registration; sophisticated workflow functionality; auditing
and access reporting; policy management; dynamic group management; and
The main file of OAM is “obrareq.cgi”.
I found “obrareq.cgi” doesn’t authenticate its paramters properly. So
attackers can do Attacks such as Dos and Information Disclosure
a user clicks the URLs above before login, the “Login” page appears.
The user needs to enter his/her username and password. When this is
done, the user could be redirected to a webpage controlled by an
attacker or to any file in Oracle.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.