Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid) provides a full range of identity administration and security functions, that include Web single sign-on; user self-service and self-registration; sophisticated workflow functionality; auditing and access reporting; policy management; dynamic group management; and delegated administration.

The main file of OAM is “obrareq.cgi”.

However, “obrareq.cgi” doesn’t authenticate its paramters properly. So attackers can do Attacks such as DOS and Information Disclosure

When a user clicks the URLs above before login, the “Login” page appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage controlled by an attacker or to any file in Oracle.

Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

The vulnerabilities fixed by Oracle in the following update:


WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University. He got his bachelar degree of Mathematics from University of Science and Technology of China.




Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>