Oracle Document Capture ImportBodyText — read files

Type erpscan
Reporter ERPScan
Modified 2010-01-29T00:00:00


Application: Oracle Document Capture
Versions Affected: 10.1350.0005
Vendor URL: Oracle
Bugs: Unsecure READ method
Exploits: YES
Reported: 29.01.2010
Second report: 02.02.2010
Date of Public Advisory: 24.01.2010
Author: Alexey Sintsov

EasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib can be used to read any file in target system. Vulnerable method is «ImportBodyText()».

Business Risk
An attacker can send a malicious link to an unaware user via e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component which can read any file on victim’s workstation and send it to attacker. It can be files with stored passwords or cookie files that store session data or SSO tickets. Attacker can use them to get unauthorized access to business-critical applications