Security researchers in Belgium have discovered two vulnerabilities related to Single Sign-on authentication in Oracle Access Manager (OAM) Version 10g, as part of penetration testing work for a client.
The two issues include an open redirect vulnerability and related issue in how cookie values are sent in GET requests.
The researchers were able to demonstrate how an attacker could steal the “ObSSOCookie” value and hijack a user’s session if tricked into clicking on malicious links via phishing email.
Oracle provided a technical fix for one of the vulnerabilities by encrypting cookies in the GET parameter in version 11g but didn’t provide a fix in 10g, according to the Threatpost report.
Oracle told the researchers this was more of a configuration issue and recommended organizations use SSODomains, a mitigation feature that allows users to specify authorized web servers used in OAM and where redirects should be sent to.