Oracle Access Manager suffers from information disclosure vulnerabilities.
539e2bd88a74aa0c87100a26eb6bbe230d80c950250b0a640fabaedc752f02c0
Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid)
provides a full range of identity administration and security functions,
that include Web single sign-on; user self-service and self-registration;
sophisticated workflow functionality; auditing and access reporting; policy
management; dynamic group management; and delegated administration.
The main file of OAM is "obrareq.cgi". However the file does not
authenticate its parameters properly. So attackers can modify its
parameters as they like and do attacks.
My name is Wang Jing. I am a Mathematics PhD student from Nanyang
technological University, Singapore. I reported the vulnerabilities to
Oracle in February, 2014.
The vulnerabilities fixed by Oracle in the following update:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
More Details:
http://www.tetraph.com/blog/2014/06/oracle-access-manager-oam-vulnerabilities/
CVE Details:
CVE-2014-2404: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2404
CVE-2014-2452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2452