ECM API Bypass Vulnerability 2
(Doc ID 2987565.1)
Last updated on NOVEMBER 21, 2023
Applies to:
Oracle Financial Services Enterprise Case Management - Version 8.0.7 and laterInformation in this document applies to any platform.
Symptoms
We are doing security scan for ECM module.
We found some requests for now till allow unauthored user to use by replacing jsessionID.
1. /fccm/solution/cm/CM_NetworkView.jsp:
replicate by curl:
curl --location --request GET 'https://aml-sit.techcombank.com.vn/fccm/solution/cm/CM_NetworkView.jsp?LA_AM_ENTITY_ID=CU~13xxxxxx&LA_AM_LINK_TYPE=ACCUNT_TO_CLNT_BANK~ACCOUNT_TO_CUSTOMER~EMPLOYEE_TO_ACCOUNT~ACCOUNT_TO_HOUSEHOLD~CASHS~CUSTOMER_TO_CUSTOMER~INSURANCE_TRNS~JOURNALS~MONETARY_INSTR~WIRES&LA_AM_FROM_DT=03/29/2023&LA_AM_TO_DT=06/29/2023&LA_AM_DEGREE_OF_SEP=3&LA_AM_REFRESH_FRAME=Y&ReviewId=CAxxxxx&infodom=FCCMINFO&segment=ECMSEGMNT&LA_AM_GTRTHANTRNAMT=0&LA_AM_LESTHANTRNAMT=99999999999999999999.99999999&LA_AM_APP_DATE_FORMAT=MM/dd/yyyy' \
--header 'cookie: JSESSIONID=ZeYFjfLHx2fNBzlsN1RzfD6pHJc0YNvaM8kvxG9CEMZ2Pr9-RcJO!-362259616'
Expection: Application should not allow unauthored user to use.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |