lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFWG0-gk7HbFEgvLaozp71JWUyVfe+h4+1Kqi2T-1pdKksf7tA@mail.gmail.com>
Date: Tue, 10 Jun 2014 17:44:45 +0800
From: Jing Wang <justqdjing@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Oracle Access Manager (OAM) Vulnerabilities (CVEs)

Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid)
provides a full range of identity administration and security functions,
that include Web single sign-on; user self-service and self-registration;
sophisticated workflow functionality; auditing and access reporting; policy
management; dynamic group management; and delegated administration.


The main file of OAM is "obrareq.cgi". However the file does not
authenticate its parameters properly. So attackers can modify its
parameters as they like and do attacks.




My name is Wang Jing. I am a Mathematics PhD student from Nanyang
technological University, Singapore. I reported the vulnerabilities to
Oracle in February, 2014.

The vulnerabilities fixed by Oracle in the following update:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html



More Details:
http://www.tetraph.com/blog/2014/06/oracle-access-manager-oam-vulnerabilities/



CVE Details:
CVE-2014-2404: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2404
CVE-2014-2452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2452

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ