Oracle Access Manager (formerly known as Oblix NetPoint and Oracle
COREid) provides a full range of identity administration and
security functions, that include Web single sign-on; user
self-service and self-registration; sophisticated workflow
functionality; auditing and access reporting; policy management;
dynamic group management; and delegated administration.
The main file of OAM is “obrareq.cgi”.
However, I found “obrareq.cgi” doesn’t authenticate its paramters
properly. So attackers can do Attacks such as Open Redirect and
When a user clicks the URLs above before login, the “Login” page
appears. The user needs to enter his/her username and password.
When this is done, the user could be redirected to a webpage
controlled by an attacker or to any file in Oracle.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE
(9.0.15) in Windows 7.
The vulnerabilities fixed by Oracle in the following update: