Oracle Hyperion Financial Management ActiveX File Upload

2011-11-15T00:00:00
ID SAINT:97BB02F1C15FBC65245A93ED36A04F9F
Type saint
Reporter SAINT Corporation
Modified 2011-11-15T00:00:00

Description

Added: 11/15/2011
BID: 50476

Background

Oracle Hyperion Financial Management is a web-based financial consolidation, reporting and analysis solution.

Problem

Hyperion Financial Management webapp installs an ActiveX control on the target system. This control is marked as safe for scripting and initialization, which allows any website to utilize it. The SaveData function does not perform adequate file type and directory validation. A malicious attacker may write a file of their choice to a location of their choice on the victim's computer.

Resolution

No update is available for this vulnerability at the time of publishing this exploit. The ActiveX control can have its kill bit set by following the instruction detailed here. Please note that this may prevent the web client from functioning properly.

References

<http://retrogod.altervista.org/9sg_ohfm_adv.html>

Limitations

This exploit has been tested against Oracle Hyperion Financial Management 11.1.2.1.0 on Windows XP SP3 English (DEP OptIn).

Platforms

Windows