Last updated on SEPTEMBER 21, 2016
Applies to:Oracle Access Manager - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
OAM has a feature using a query string "end_url" to redirect a browser to a landing page after logging out.
However a URL can be append either manually or programmatically to the end_url parameter and the browser will be redirected there.
For example https://www.acme.com/oam/server/logout?end_url=http://www.badsite.com/signup.jsp where www.acme.com is a valid OAM protected site, the browser will instead be redirected to http://www.badsite.com/signup.jsp.
The OAM server performs the server side logout operations and redirects the browser to the URL specified in the "end_url" query parameter whether logged in or out.
This is not a desired behavior.
The goal would be to only allow URLs expected and approved.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms