Oracle Application Portal Server cookie authentication bypass

oracle-aps-cookie-auth-bypass (42302) The risk level is classified as MediumMedium Risk

Description:

Oracle Application Portal Server could allow a remote attacker to bypass authentication restrictions, caused by an error during session handling. By sending a direct URL request containing an appended line feed character to the /pls/portal directory, an attacker could obtain a valid authentication cookie to gain access to restricted directories.

Platforms Affected:

  • Oracle, Application Server Portal 10g

Remedy:

No remedy available as of November 22, 2008.

Consequences:

Bypass Security

References:

  • BugTraq Mailing List, Fri May 09 2008 - 07:49:36 CDT, Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2008-05/0125.html.
  • Oracle Web site, Oracle Portal Center Home at http://www.oracle.com/technology/products/ias/portal/index.html.
  • BID-29119: Oracle Application Server Portal Authentication Bypass Vulnerability
  • CVE-2008-2138: Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access restrictions and read the contents of /dav_portal/portal/ via a request containing a trailing %0A (encoded line feed), then using the session ID that is generated from that request. NOTE: as of 20080512, Oracle has not commented on the accuracy of this report.
  • SA30140: Oracle Application Server Portal Authentication Bypass
  • SECTRACK ID: 1020034: Oracle Application Server May Discloses Files in '/dav_portal/portal/' Directory to Remote Users

Reported:

May 09, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page