Short Name |
HTTP:ORACLE:APP-SERVER-BYPASS |
---|---|
Severity |
Minor |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Oracle Application Server Portal Authentication Bypass Vulnerability |
Release Date |
2012/11/22 |
Update Number |
2205 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known authentication bypass vulnerability in Oracle Application Server Portal. A remote unauthenticated attacker could exploit this vulnerability by sending a special request to the server. Successful exploitation may allow the attacker to bypass authentication and allow access to sensitive data.
Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access restrictions and read the contents of /dav_portal/portal/ by sending a request containing a trailing "%0A" (encoded line feed), then using the session ID that is generated from that request. NOTE: as of 20080512, Oracle has not commented on the accuracy of this report.