exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Web Content Manager XPath Injection

IBM Web Content Manager XPath Injection
Posted Dec 27, 2013
Authored by Alexander Antukh, S. Temnikov | Site sec-consult.com

IBM Web Content Manager versions 6.x, 7.x, and 8.x suffer from blind XPath injection attacks. This allows an attacker to get current application configuration, enumerate nodes, and extract other valuable information from vulnerable installations of Web Content Manager.

tags | exploit, web
advisories | CVE-2013-6735
SHA-256 | 69ed54de30dd34415932f287057413898bcb590a08bf4420d7b20ebaa5b7b2aa

IBM Web Content Manager XPath Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20131227-0 >
=======================================================================
title: XPath Injection
product: IBM Web Content Manager (WCM)
vulnerable version: 6.x, 7.x, 8.x
fixed version: -
impact: high
homepage: https://www.ibm.com/
found: 2013-10-27
CVE: CVE-2013-6735
by: A.Antukh, S.Temnikov
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"IBM® Web Content Manager is designed to accelerate web content development and
deployment through Internet, intranet and extranet sites. This software enables
users to create and publish content while IT retains control. Through advanced
personalization, IBM Web Content Manager delivers the right information to the
right audience when needed, providing an exceptional customer experience"

Source: https://www-03.ibm.com/software/products/en/ibmwebcontmana


Business recommendation:
------------------------
The discovered vulnerability can be exploited _without_ authentication and
therefore pose a high security risk - it allows extraction of configuration
data from the server. The impact of the XPath vulnerability isn't researched
fully. SEC Consult suspects that it is possible to extract sensitive
information that will be useful for further attacks. The recommendation of SEC
Consult is to immediately install patches provided by the vendor.


Vulnerability overview/description:
-----------------------------------
A typical URL for a host with installed WCM looks like this:
https://[HOST]:[PORT]/wps/wcm/connect/[PATH]

The "connect" servlet provided in the standard installation of IBM Web Content
Manager parses the PATH element as follows:
[PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT]

Due to insufficient validation, the "LIBRARY" element suffers from an
XPath-injection vulnerability.

An unauthenticated user is able to perform blind XPath Injection attacks e.g.
get current application configuration, enumerate nodes and extract other
valuable information from vulnerable installations of Web Content Manager.


Proof of concept:
-----------------
The vulnerability is exploited due to improper validation of the LIBRARY
parameter, which is parsed by the "connect" servlet.

The most basic cases are presented below, and allow an attacker to manipulate
logic of the request. The "false" clause causes an error, the "true" clause (if
not defined explicitly) redirects an attacker to the
"/wcm/webinterface/login/login.jsp" page.

True clause: https://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a
False clause: https://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b

Knowing the difference between responses of the true and false clauses, it is
possible to manipulate requests in order to extract the information. For
example, if the following request returns TRUE, this would give an attacker
information about the "name" property.

https://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = "pznDT") or 'a'='b

In a similar way, with use of the "jcr:like" and "jcr:contains" functions one
can effectively restore the value for the "target" property.


Vulnerable / tested versions:
-----------------------------
The vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which
are the most recent versions at the moment of writing the advisory.


Vendor contact timeline:
------------------------
2013-12-04: Contacted vendor through psirt@vnet.ibm.com.
2013-12-04: Initial vendor response.
2013-12-06: Issues will be verified.
2013-12-20: Security bulletin released.
2013-12-27: SEC Consult releases coordinated security advisory.


Solution:
---------
Apply the Interim Fix PI07777
www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI07777


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF A. Antukh / @2013
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close