Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Control Vulnerability

2013-08-19T00:00:00
ID SAINT:5B1F0365C00FFFBA9AA76D5C0FB34280
Type saint
Reporter SAINT Corporation
Modified 2013-08-19T00:00:00

Description

Added: 08/19/2013
CVE: CVE-2013-1559
BID: 59122
OSVDB: 92386

Background

Oracle WebCenter Content is an open platform that allows users to create a vast range of content management applications. It consolidates unstructured content from across diverse systems so it can be centrally managed and then exposes it from within desktop productivity tools, business applications, and mobile devices.

Problem

Oracle WebCenter Content Server contains a flaw in the **CheckOutAndOpen.dll** ActiveX control which is triggered when user-controlled input is passed to the openWebdav method. An attacker who persuades a vulnerable user to open a specially crafted web page could execute arbitrary code in the context of the user.

Resolution

Apply the update referenced in Oracle Critical Patch Update Advisory - April 2013.

References

<http://www.zerodayinitiative.com/advisories/ZDI-13-094/>

Limitations

This exploit was tested against Oracle WebCenter Content 11.1.1.6.0 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

The user must open the exploit in Internet Explorer 8 or 9.

Platforms

Windows