Oracle WebCenter Interaction - Multiple Vulnerabilities
-------------------------------------------------------

Oracle WebCenter Interaction (WCI), formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

The latest version of WCI is 10.3.3. The product is no longer supported
by Oracle and has been replaced with Oracle WebCenter Portal. Oracle
recommend that affected customers upgrade to Oracle WebCenter Portal
where possible.

Multiple vulnerabilities were discovered in the latest and last version
of Oracle WebCenter Interaction (10.3.3).

The details of each vulnerability are described in the following
sections.

Oracle Webcenter Interaction: Reflected XSS in Page Rename
----------------------------------------------------------

*CVE:* CVE-2018-16953

*CVSSv3:* 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

*Versions affected:* 10.3.3 (10.3.3.379633)

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The Oracle WCI portal can be installed as an ASP.NET web application for
IIS. The ASP.NET portal comes as compiled .NET assemblies that are
linked into an IIS site of the customeras choosing.

Vulnerability
~~~~~~~~~~~~~

The `DisplayResponse()` function of the `AjaxView` class in the
`portalpages.dll` assembly is vulnerable to reflected cross-site
scripting (XSS). The new and old names of the renamed page are reflected
in a HTTP response with the content type `text/html`. Consequently, when
a user renames a page in the portal, they can inject HTML and JavaScript
in the name to have it executed by the browser when the response is
received.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

N/A

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Oracle Webcenter Interaction - Insecure Default Configuration
-------------------------------------------------------------

*CVE:* CVE-2018-16959

*CVSSv3:* 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

*Versions affected:* 10.3.3 (10.3.3.379633)

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The WCI portal provides the primary user interface to WebCenter
Interaction services included in the product suite. Guest and
authenticated users can navigate the portalas features. The portal
includes a detailed authorisation system based on objects and rights.
Objects sit within containers. Objects and containers are assigned
rights. A default set of rights is provided at the time of installation.

Vulnerability
~~~~~~~~~~~~~

The default installation of Oracle WCI portal includes a _User Profile_
community. This commnuity allows users to view basic profile information
about registered users in the portal including their registered
username.

The default configuration of the User Profile community allows the
_Everyone_ group read access.

This security setting provides unauthenticated users with read access to
the profile information of every registered user. Most noteably, the
username of the account is included in the information provided by this
community. Because the commnuity is accessed by a numerical identifier
(`/portal/server.pt/user/user/[ID]`), this default configuration exposes
the portal to username harvesting/enumeration attacks.

An attacker can simply access the community with increasingly
incremented identifiers to extract the username of every valid user
registered in the portal.

The impact of this default configuration is made more severe when a
customer decides to integrate active directory as an authentication
source. The default security configuration of the community then exposes
every active directory username synchronised with the portal.

As it is well known that customers tend to leave products in their
default configuration state, the onus for reasonable product security
lies with the vendor.

This default configuration unnecessarily and unknowingly exposes
customers to username harvesting attacks. Once an attacker has a list of
valid usernames, an attacker can trivially gain unauthorised access to
the portal with brute forcing and password spraying attacks.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Oracle WebCenter Interaction - Insecure Redirection
---------------------------------------------------

*CVE:* CVE-2018-16954

*CVSSv3:* 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

*Versions affected:* 10.3.3 (10.3.3.379633)

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The Oracle WebCenter Interaction (WCI) portal is the primary user
interface to the suite of services provided by WCI. The portal provides
a default database-backed authentication system and can be extended to
use remote directory services such as LDAP and Active Directory.

Vulnerability
~~~~~~~~~~~~~

The login function of the portal is vulnerable to insecure redirection
(also called an open redirect vulnerability).

The `in_hi_redirect` parameter allows the portal to redirect a user to
another page once they have successfully logged in. It is primarily used
to provide links to authenticated content that a user is returned to
once they have logged in.

This parameter is not validated to ensure its value contains the same
origin as the portal or is from a list of trusted domains. Consquently,
an attacker can set the value to the URL of a malicious site they
operate and mislead users into being redirected to that site.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Oracle WebCenter Interaction - Redirection Cross-site Scripting
---------------------------------------------------------------

*CVE:* CVE-2018-16955

*CVSSv3:* 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

*Versions affected:* 10.3.3

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The Oracle WebCenter Interaction (WCI) portal is the primary interface
to the suite of services provided by WCI. The portal provides a default
database-backed authentication system and can be extended to use remote
directory services such as LDAP and Active Directory.

Vulnerability
~~~~~~~~~~~~~

The redirection function that follows successful authentication to the
portal varies its redirection technique depending on the scheme of the
URL specified in the `in_hi_redirect` parameter.

When the URL scheme is `https://`, the HTTP response from the portal is
`200 OK` and a `<META>` HTML tag is used to perform the redirect.
Otherwise the response is a HTTP 302 with a `Location` header.

The URL specified in the `in_hi_redirect` parameter is reflected
verbatim into the `<META>` tag when the scheme is `https://`.
Consequently, an attacker can follow the parameter value with HTML and
JavaScript code to have it execute in the browser immediately before the
redirect is processed.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Oracle WebCenter Interaction - Hardcoded Search Service Password
----------------------------------------------------------------

*CVE:* CVE-2018-16957

*CVSSv3:* 5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

*Versions affected:* queryd.exe 10.3.3.379250

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

Oracle WCI provides a search service that enables the portal and other
components to perform efficient searches for data throughout the
platform. The search service runs as a Windows network service that
executes the `queryd.exe` binary.

`queryd` is binary application written in C++ (VC2008).

Vulnerability
~~~~~~~~~~~~~

The Oracle WCI search service requires authentication before a query can
be issued and returned. This prevents unauthenticated users from
accessing sensitive data stored within the product suite.

However, the search service uses a static password that has been
hardcoded in the search service binary: `queryd.exe`.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects build 10.3.3.379250 of the Oracle WCI search
service (queryd.exe).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Oracle WebCenter Interaction - Weak Cookie Configuration
--------------------------------------------------------

*CVE:* CVE-2018-16958

*CVSSv3:* 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

*Versions affected:* 10.3.3

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The Oracle WebCenter Interaction (WCI) portal provides the primary user
interface to the suite of products included in WCI. The portal can be
deployed as an ASP.NET application for IIS when installed on Windows
Server.

Vulnerability
~~~~~~~~~~~~~

The WCI portal makes use of the primary session cookie in JavaScript. It
is believed that for this reason, the `httpOnly` attribute is explicitly
removed from the session cookie when set. The attribute can not be set
using the `Web.config` configuration file as the application code
prevents this.

Forcefully disabling this cookie attribute exposes the session cookie
directly to cross-site scripting (XSS) vulnerabilities (such as
CVE-2018-16953 and CVE-2018-16955). This exposure allows an attacker to
hijack user sessions.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Oracle WebCenter Interaction - Portal Cross-Site Request Forgery
----------------------------------------------------------------

*CVE:* CVE-2018-16952

*CVSSv3:* 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

*Versions affected:* 10.3.3

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The Oracle WebCenter Interaction (WCI) portal provides the primary user
interface to the suite of products included in WCI. The portal can be
deployed as an ASP.NET application for IIS when installed on Windows
Server.

Vulnerability
~~~~~~~~~~~~~

The Oracle WCI portal makes no attempt to prevent cross-site request
forgery (CSRF) attacks. To prevent these attacks, all sensitive actions
need to implement a form of anti-CSRF token or special header. These
techniques prevent requests from other origins (such as malicious sites)
from being surreptitiously submitted with the intention of executing
sensitive actions in the context of authenticated portal users.

Consequently, the Oracle WCI portal is vulnerable to cross-site request
forgery.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June,
2018.

Oracle WebCenter Interaction - Page Edit DoS
--------------------------------------------

*CVE:* CVE-2018-16956

*CVSSv3:* 4.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

*Versions affected:* 10.3.3

Introduction
~~~~~~~~~~~~

Oracle WebCenter Interaction, formerly called BEA AquaLogic User
Interaction and now part of Oracle WebCenter Suite, is an integrated,
comprehensive collection of components used to create enterprise
portals, collaborative communities, and composite and social
applications.

Background
~~~~~~~~~~

The Oracle WebCenter Interaction (WCI) portal provides the primary user
interface to the suite of products included in WCI. The portal can be
deployed as an ASP.NET application for IIS when installed on Windows
Server.

Vulnerability
~~~~~~~~~~~~~

The `AjaxControl` component, responsible for renaming pages throughout
the portal, does not validate the name of a given page for characters
unsupported by the web server. It is therefore possible for a page to be
renamed to include characters that are forbidden in a URI by the web
server.

When a portal page is renamed in such a fashion, the page can no longer
be accessed by its URI in the portal.

Most noteably, the DELETE character `0x7f` is not supported by IIS 7.5+
in the URL path. However, this character can be inserted into the name
of a personal or community page when renaming the page.

An attacker can exploit this vulnerability to prevent pages from being
accessed within the portal. Authenticated attackers with the ability to
rename pages can include the `0x7f` character and prevent them from
being accessed. Further, an unauthetnicated attacker can exploit the
lack of CSRF protections (CVE-2018-16952) to rename pages and
communities with the intention of breaking as many pages as possible.

When the landing page for portal users is renamed in this fashion,
non-techncial users will no longer be able to access the portal once
they login. The redirection to the landing page URL containing the
forbidden character will no longer succeed. This could cause sustained
outages for Oracle customers as the resolution would require database
restoration or adminsitrative editing of the page name.

Versions Affected
~~~~~~~~~~~~~~~~~

This vulnerability affects version 10.3.3 of the Oracle WebCenter
Interaction portal - specifically build 10.3.3.379633 (the latest
version at the time of writing).

References
~~~~~~~~~~

https://github.com/xdrr/vulnerability-research/tree/master/webapp/oracle/webcenter/interaction/2018-06-multiple

Credit
~~~~~~

This vulnerability was discovered by Ben N (pajexali@gmail.com) 26 June
2018.

Timeline
~~~~~~~~
* Full disclosure | 28 June, 2018 | Emailed all 8 vulns to Oracle PS team
* Receipt of disclosure | 28 June, 2018
* Response from Oracle | 6 July, 2018 | Oracle advise they will not
investigate as the product is no longer supported. Oracle removed WCI
10.3.3 download from their site.
* Oracle confirm OK to disclose | 27 July, 2018 | Oracle advise OK to
disclose but recommend customers upgrade to WebCenter Portal ASAP.
* Apply for CVE IDs | 30 August, 2018 | Applied for CVE IDs for all vulns.
* MITRE assign CVEs | 12 September, 2018
* Public disclosure | 16 September, 2018 | Full disclosure of
vulnerabilities