Oracle WebCenter information exposure vulnerability
| CENSUS ID: | CENSUS-2014-0001 |
| CVE ID: | CVE-2014-0450 |
| Oracle Tracking #: | S0388414 (CPUApr2014) |
| Affected Products: | Oracle Fusion Middleware (versions 11.1.1.7 and 11.1.1.8) |
| Class: | Information Exposure (CWE-200), Privacy Violation (CWE-359) |
| Remote: | Yes |
| Discovered by: | Alex Zaharis |
| Researched by: | Alex Zaharis, Patroklos Argyroudis |
The Oracle WebCenter portal component in Oracle Fusion Middleware (versions 11.1.1.7 and 11.1.1.8) is vulnerable to an information exposure vulnerability. A malicious user may utilize this vulnerability to gain unauthenticated access to the list of valid usernames of the system, the users’ personal information and files linked to the users’ profiles.
Details
Oracle WebCenter is a platform for building web applications, web portals and collaboration web sites. It is owned and developed by Oracle targeting the enterprise portal market.
We have discovered an information exposure vulnerability in the Oracle WebCenter portal component in Oracle Fusion Middleware (versions 11.1.1.7 and 11.1.1.8) that leads to disclosure of user information. Specifically, an unauthenticated attacker can retrieve all information related to the users of the platform via a default user account of the Oracle WebCenter installation. This includes usernames, emails, phone numbers and files linked to the users’ profiles.
The attack can be achieved via the following steps:
1. The attacker visits the following URL on the target Oracle WebCenter installation (URL edited for readability):
http://www.vulnsite.com/webcenter/faces/oracle/webcenter/page/
scopedMD/s8bba98ff_4cbb_40b8_beee_296c916a23ed/businessRolePages/
UserProfileMainView.jspx?immediate=true&wc.username=weblogic
2. The attacker has now gained unauthenticated access to the Oracle WebCenter backend interface as the default user “weblogic”. From the backend interface the attacker may then navigate to the “Documents” tab.
3. In the “Filter” field the attacker selects “Advanced” as illustrated in the following screenshot.
4. The attacker then clicks the binoculars icon next to the “Created By” field.
5. In the search field the attacker enters “*” and retrieves the complete list of the system’s usernames along with emails and phone numbers, as shown in the following screenshot:
Moreover, once the list of all valid usernames has been retrieved, an attacker will be able to gain unauthenticated read access to files linked to each user profile on the Oracle WebCenter installation via the following URL (edited for readability):
http://www.vulnsite.com/webcenter/faces/oracle/webcenter/page/
scopedMD/s8bba98ff_4cbb_40b8_beee_296c916a23ed/businessRolePages/
UserProfileMainView.jspx?immediate=true&wc.username=<valid_username>
Oracle has responded to this advisory with an update to WebCenter included in the Critical Patch Update Advisory — April 2014. Administrators of affected installations are advised to proceed with the Critical Patch Update patch.
Disclosure Timeline
| Discovery: | August 20th, 2013 |
| Vendor Contact: | August 22nd, 2013 |
| CVE Assignment: | December 12th, 2013 |
| Public Disclosure: | April 15th, 2014 |