Hello and welcome to the Tuesday, November 25th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in incident

response. Well, today's diary is not some breaking new item for a change, but something that I have

been seeing more and more lately. And it's nothing really new, but I think worth pointing out and reminding people about,

and that's how URL mapping and URL-based access control can sometimes lead to gaps in authentication and access control.

We have seen this lately with the Oracle Identity Manager, we're just adding a little extension,

sort of cost bypassing off the access control. And then, so it's prompted me to write

this diary is earlier today, I saw an older vulnerability in the Hitachi, Van Tara,

Pantau Business Analytics server being exploited.

Same pattern here as long as you append require.js.

To the URL, you're good to go.

You can basically execute whatever you want. And this in this particular case then opens up command injection vulnerability

that otherwise would be protected

by authentication. So that's really what's happening here. And the reason behind it is that

for a range of different URLs, so as long as you have this LDAP 3 Note Children part

in the URL, it's all going to the same script, and that's sort of

where the URL mapping comes in. In web servers, you often map your URLs that several

URLs or range of URLs or any request to particular directory is really processed by the same

script. So appending things like here require.js does not change what's being executed,

but it does change your authentication logic.

And that's really the problem here.

...