Maker/Checker concept bypassed on Administration screens
(Doc ID 2646386.1)
Last updated on FEBRUARY 27, 2022
Applies to:
Oracle Financial Services Analytical Applications Infrastructure - Version 8.0.7.2.0 and laterInformation in this document applies to any platform.
Symptoms
On : 8.0.7 version, Security_issues_OFSS
ACTUAL BEHAVIOR
---------------
A malicious administrator user bypassing the Maker/Checker functionality can approve his/her own submitted requests.
EXPECTED BEHAVIOR
-----------------------
User who submitted the request should not be able to authorize his own requests
STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Let user A try to disable user B.
2. Same user can authorize the request by intercepting the HTTP request and modifying the request body and URL
BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, Maker/Checker functionality is bypassed and application is vulnerable to unauthorized changes.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Cause |
Solution |
References |