Oracle Application Testing Suite Authentication Bypass Vulnerability

ID ZDI-16-035
Type zdi
Reporter rgod
Modified 2016-06-22T00:00:00


This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Oracle Application Testing Suite. The specific flaw exists within the isAllowedUrl() function used for the admin pages. This function has a list of URI entries which do not require authentication. Because the function only checks to see if a URI starts with one of these entries, an attacker can use directory traversal in the URI to gain access to all of the exposed administrator functionality.