| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Jun 2014 17:44:45 +0800 From: Jing Wang <justqdjing@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Oracle Access Manager (OAM) Vulnerabilities (CVEs) Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid) provides a full range of identity administration and security functions, that include Web single sign-on; user self-service and self-registration; sophisticated workflow functionality; auditing and access reporting; policy management; dynamic group management; and delegated administration. The main file of OAM is "obrareq.cgi". However the file does not authenticate its parameters properly. So attackers can modify its parameters as they like and do attacks. My name is Wang Jing. I am a Mathematics PhD student from Nanyang technological University, Singapore. I reported the vulnerabilities to Oracle in February, 2014. The vulnerabilities fixed by Oracle in the following update: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html More Details: http://www.tetraph.com/blog/2014/06/oracle-access-manager-oam-vulnerabilities/ CVE Details: CVE-2014-2404: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2404 CVE-2014-2452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2452 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists