My Oracle Support Banner

Maker/Checker concept bypassed on Administration screens (Doc ID 2646386.1)

Last updated on MARCH 09, 2020

Applies to:

Oracle Financial Services Analytical Applications Infrastructure - Version 8.0.7.2.0 and later
Information in this document applies to any platform.

Symptoms

On : 8.0.7 version, Security_issues_OFSS

ACTUAL BEHAVIOR
---------------
A malicious administrator user bypassing the Maker/Checker functionality can approve his/her own submitted requests.

EXPECTED BEHAVIOR
-----------------------
User who submitted the request should not be able to authorize his own requests


STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Let user A try to disable user B.
2. Same user can authorize the request by intercepting the HTTP request and modifying the request body and URL

BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, Maker/Checker functionality is bypassed and application is vulnerable to unauthorized changes.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.