"IBM® Web Content Manager is designed to accelerate web content development and
deployment through Internet, intranet and extranet sites. This software enables
users to create and publish content while IT retains control. Through advanced
personalization, IBM Web Content Manager delivers the right information to the
right audience when needed, providing an exceptional customer experience"
The discovered vulnerability can be exploited without authentication and
therefore pose a high security risk - it allows extraction of configuration
data from the server. The impact of the XPath vulnerability isn't researched
fully. SEC Consult suspects that it is possible to extract sensitive
information that will be useful for further attacks. The recommendation of SEC
Consult is to immediately install patches provided by the vendor.
Vulnerability overview/description:
A typical URL for a host with installed WCM looks like this:
http://[HOST]:[PORT]/wps/wcm/connect/[PATH]
The "connect" servlet provided in the standard installation of IBM Web Content
Manager parses the PATH element as follows:
[PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT]
Due to insufficient validation, the "LIBRARY" element suffers from an
XPath-injection vulnerability.
An unauthenticated user is able to perform blind XPath Injection attacks e.g.
get current application configuration, enumerate nodes and extract other
valuable information from vulnerable installations of Web Content Manager.
Proof of concept:
The vulnerability is exploited due to improper validation of the LIBRARY
parameter, which is parsed by the "connect" servlet.
The most basic cases are presented below, and allow an attacker to manipulate
logic of the request. The "false" clause causes an error, the "true" clause (if
not defined explicitly) redirects an attacker to the
"/wcm/webinterface/login/login.jsp" page.
True clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a
False clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b
Knowing the difference between responses of the true and false clauses, it is
possible to manipulate requests in order to extract the information. For
example, if the following request returns TRUE, this would give an attacker
information about the "name" property.
http://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = "pznDT") or 'a'='b
In a similar way, with use of the "jcr:like" and "jcr:contains" functions one
can effectively restore the value for the "target" property.
Vulnerable / tested versions:
The vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which
are the most recent versions at the moment of writing the advisory.
Vendor contact timeline:
2013-12-04: Contacted vendor through psirt@vnet.ibm.com.
2013-12-04: Initial vendor response.
2013-12-06: Issues will be verified.
2013-12-20: Security bulletin released.
2013-12-27: SEC Consult releases coordinated security advisory.
Solution:
Apply the Interim Fix PI07777
www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI07777
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF A. Antukh / @2013
{"id": "SECURITYVULNS:DOC:30199", "bulletinFamily": "software", "title": "SEC Consult SA-20131227-0 :: IBM Web Content Manager (WCM) XPath Injection", "description": "\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20131227-0 >\r\n=======================================================================\r\n title: XPath Injection\r\n product: IBM Web Content Manager (WCM)\r\n vulnerable version: 6.x, 7.x, 8.x\r\n fixed version: -\r\n impact: high\r\n homepage: http://www.ibm.com/\r\n found: 2013-10-27\r\n CVE: CVE-2013-6735\r\n by: A.Antukh, S.Temnikov\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n"IBM\u00ae Web Content Manager is designed to accelerate web content development and\r\ndeployment through Internet, intranet and extranet sites. This software enables\r\nusers to create and publish content while IT retains control. Through advanced\r\npersonalization, IBM Web Content Manager delivers the right information to the\r\nright audience when needed, providing an exceptional customer experience"\r\n\r\nSource: http://www-03.ibm.com/software/products/en/ibmwebcontmana\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nThe discovered vulnerability can be exploited _without_ authentication and\r\ntherefore pose a high security risk - it allows extraction of configuration\r\ndata from the server. The impact of the XPath vulnerability isn't researched\r\nfully. SEC Consult suspects that it is possible to extract sensitive\r\ninformation that will be useful for further attacks. The recommendation of SEC\r\nConsult is to immediately install patches provided by the vendor.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\nA typical URL for a host with installed WCM looks like this:\r\nhttp://[HOST]:[PORT]/wps/wcm/connect/[PATH]\r\n\r\nThe "connect" servlet provided in the standard installation of IBM Web Content\r\nManager parses the PATH element as follows:\r\n[PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT]\r\n\r\nDue to insufficient validation, the "LIBRARY" element suffers from an\r\nXPath-injection vulnerability.\r\n\r\nAn unauthenticated user is able to perform blind XPath Injection attacks e.g.\r\nget current application configuration, enumerate nodes and extract other\r\nvaluable information from vulnerable installations of Web Content Manager.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\nThe vulnerability is exploited due to improper validation of the LIBRARY\r\nparameter, which is parsed by the "connect" servlet.\r\n\r\nThe most basic cases are presented below, and allow an attacker to manipulate\r\nlogic of the request. The "false" clause causes an error, the "true" clause (if\r\nnot defined explicitly) redirects an attacker to the\r\n"/wcm/webinterface/login/login.jsp" page.\r\n\r\nTrue clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a\r\nFalse clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b\r\n\r\nKnowing the difference between responses of the true and false clauses, it is\r\npossible to manipulate requests in order to extract the information. For\r\nexample, if the following request returns TRUE, this would give an attacker\r\ninformation about the "name" property.\r\n\r\nhttp://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = "pznDT") or 'a'='b\r\n\r\nIn a similar way, with use of the "jcr:like" and "jcr:contains" functions one\r\ncan effectively restore the value for the "target" property.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which\r\nare the most recent versions at the moment of writing the advisory.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2013-12-04: Contacted vendor through psirt@vnet.ibm.com.\r\n2013-12-04: Initial vendor response.\r\n2013-12-06: Issues will be verified.\r\n2013-12-20: Security bulletin released.\r\n2013-12-27: SEC Consult releases coordinated security advisory.\r\n\r\n\r\nSolution:\r\n---------\r\nApply the Interim Fix PI07777\r\nwww.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI07777\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nEOF A. Antukh / @2013\r\n", "published": "2014-01-09T00:00:00", "modified": "2014-01-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30199", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2013-6735"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:50", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "b8380faba98e4b0e0030e42d4164d34c"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "description", "hash": "36f12ba6dce856e3949ab49fe4405f8b"}, {"key": "href", "hash": "8188ddea727cb193ef8d34131793fb93"}, {"key": "modified", "hash": "1adb02d3d115778dd07b44000a2a70fc"}, {"key": "published", "hash": "1adb02d3d115778dd07b44000a2a70fc"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "7aa393e3e5732ecf581080de5db831a5"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "78b248c2dd3ddad0f4a92ce5d8e66a1e1e830b57635f375ada42c46ad66fcffb", "viewCount": 20, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-08-31T11:10:50", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-6735"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103882"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:124611"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13509"]}], "modified": "2018-08-31T11:10:50", "rev": 2}, "vulnersScore": 6.5}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-05-29T18:13:06", "bulletinFamily": "NVD", "description": "IBM WebSphere Portal 6.0.0.x through 6.0.0.1, 6.0.1.x through 6.0.1.7, 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.0.0.x through 7.0.0.2 CF26, and 8.0.0.x through 8.0.0.1 CF08 allows remote attackers to obtain sensitive Java Content Repository (JCR) information via a modified Web Content Manager (WCM) URL.", "modified": "2018-10-09T19:34:00", "id": "CVE-2013-6735", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6735", "published": "2013-12-22T15:16:00", "title": "CVE-2013-6735", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "description": "It's possible to obtain configuration data.", "modified": "2014-01-09T00:00:00", "published": "2014-01-09T00:00:00", "id": "SECURITYVULNS:VULN:13509", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13509", "title": "IBM Web Content Manager information leakage", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:33", "bulletinFamily": "exploit", "description": "", "modified": "2013-12-27T00:00:00", "published": "2013-12-27T00:00:00", "href": "https://packetstormsecurity.com/files/124611/IBM-Web-Content-Manager-XPath-Injection.html", "id": "PACKETSTORM:124611", "type": "packetstorm", "title": "IBM Web Content Manager XPath Injection", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20131227-0 > \n======================================================================= \ntitle: XPath Injection \nproduct: IBM Web Content Manager (WCM) \nvulnerable version: 6.x, 7.x, 8.x \nfixed version: - \nimpact: high \nhomepage: http://www.ibm.com/ \nfound: 2013-10-27 \nCVE: CVE-2013-6735 \nby: A.Antukh, S.Temnikov \nSEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \nVendor description: \n------------------- \n\"IBM\u00ae Web Content Manager is designed to accelerate web content development and \ndeployment through Internet, intranet and extranet sites. This software enables \nusers to create and publish content while IT retains control. Through advanced \npersonalization, IBM Web Content Manager delivers the right information to the \nright audience when needed, providing an exceptional customer experience\" \n \nSource: http://www-03.ibm.com/software/products/en/ibmwebcontmana \n \n \nBusiness recommendation: \n------------------------ \nThe discovered vulnerability can be exploited _without_ authentication and \ntherefore pose a high security risk - it allows extraction of configuration \ndata from the server. The impact of the XPath vulnerability isn't researched \nfully. SEC Consult suspects that it is possible to extract sensitive \ninformation that will be useful for further attacks. The recommendation of SEC \nConsult is to immediately install patches provided by the vendor. \n \n \nVulnerability overview/description: \n----------------------------------- \nA typical URL for a host with installed WCM looks like this: \nhttp://[HOST]:[PORT]/wps/wcm/connect/[PATH] \n \nThe \"connect\" servlet provided in the standard installation of IBM Web Content \nManager parses the PATH element as follows: \n[PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT] \n \nDue to insufficient validation, the \"LIBRARY\" element suffers from an \nXPath-injection vulnerability. \n \nAn unauthenticated user is able to perform blind XPath Injection attacks e.g. \nget current application configuration, enumerate nodes and extract other \nvaluable information from vulnerable installations of Web Content Manager. \n \n \nProof of concept: \n----------------- \nThe vulnerability is exploited due to improper validation of the LIBRARY \nparameter, which is parsed by the \"connect\" servlet. \n \nThe most basic cases are presented below, and allow an attacker to manipulate \nlogic of the request. The \"false\" clause causes an error, the \"true\" clause (if \nnot defined explicitly) redirects an attacker to the \n\"/wcm/webinterface/login/login.jsp\" page. \n \nTrue clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a \nFalse clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b \n \nKnowing the difference between responses of the true and false clauses, it is \npossible to manipulate requests in order to extract the information. For \nexample, if the following request returns TRUE, this would give an attacker \ninformation about the \"name\" property. \n \nhttp://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = \"pznDT\") or 'a'='b \n \nIn a similar way, with use of the \"jcr:like\" and \"jcr:contains\" functions one \ncan effectively restore the value for the \"target\" property. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which \nare the most recent versions at the moment of writing the advisory. \n \n \nVendor contact timeline: \n------------------------ \n2013-12-04: Contacted vendor through psirt@vnet.ibm.com. \n2013-12-04: Initial vendor response. \n2013-12-06: Issues will be verified. \n2013-12-20: Security bulletin released. \n2013-12-27: SEC Consult releases coordinated security advisory. \n \n \nSolution: \n--------- \nApply the Interim Fix PI07777 \nwww.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI07777 \n \n \nWorkaround: \n----------- \nNo workaround available. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Vulnerability Lab \n \nSEC Consult \nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius \n \nHeadquarter: \nMooslackengasse 17, 1190 Vienna, Austria \nPhone: +43 1 8903043 0 \nFax: +43 1 8903043 15 \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF A. Antukh / @2013 \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124611/SA-20131227-0.txt"}], "openvas": [{"lastseen": "2020-05-08T11:02:57", "bulletinFamily": "scanner", "description": "IBM Web Content Manager is prone to an XPath-injection vulnerability.", "modified": "2020-05-05T00:00:00", "published": "2014-01-15T00:00:00", "id": "OPENVAS:1361412562310103882", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103882", "title": "IBM Web Content Manager 'LIBRARY' Parameter XPath Injection Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IBM Web Content Manager 'LIBRARY' Parameter XPath Injection Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103882\");\n script_bugtraq_id(64496);\n script_cve_id(\"CVE-2013-6735\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-05-05T09:44:01+0000\");\n\n script_name(\"IBM Web Content Manager 'LIBRARY' Parameter XPath Injection Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/64496\");\n script_xref(name:\"URL\", value:\"http://www-306.ibm.com/software/websphere/portal/\");\n script_xref(name:\"URL\", value:\"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20131227-0_IBM_WCM_XPath_Injection_v10.txt\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-01-15 16:11:31 +0100 (Wed, 15 Jan 2014)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue by manipulating the XPath query\nlogic to carry out unauthorized actions on the application.\");\n script_tag(name:\"vuldetect\", value:\"Send some special crafted HTTP GET requests and check the response.\");\n script_tag(name:\"insight\", value:\"Due to insufficient validation, the 'LIBRARY' element suffers from an\nXPath-injection vulnerability.\n\nAn unauthenticated user is able to perform blind XPath Injection attacks e.g.\nget current application configuration, enumerate nodes and extract other\nvaluable information from vulnerable installations of Web Content Manager.\");\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory\nfor more information.\");\n script_tag(name:\"summary\", value:\"IBM Web Content Manager is prone to an XPath-injection vulnerability.\");\n script_tag(name:\"affected\", value:\"IBM WebSphere Portal 6.0.0.x through 6.0.0.1,\n\n6.0.1.x through 6.0.1.7,\n\n6.1.0.x through 6.1.0.6 CF27,\n\n6.1.5.x through 6.1.5.3 CF27,\n\n7.0.0.x through 7.0.0.2 CF26,\n\n8.0.0.x through 8.0.0.1 CF08\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\n\nport = http_get_port( default:80 );\n\nurl = \"/wps/wcm/connect/%27%20or%20%27a%27%3d%27b\";\nreq = http_get( item:url, port:port );\nbuf = http_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( buf !~ \"HTTP/1\\.. 404\" ) exit (0);\n\nurl = \"/wps/wcm/connect/%27%20or%20%27a%27%3d%27a\";\nreq = http_get( item:url, port:port );\nbuf = http_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( buf =~ \"HTTP/1\\.. 302\" && buf =~ 'Location:.*/wps/wcm/webinterface/login/login.jsp' )\n{\n security_message( port:port );\n exit(0);\n}\n\nexit (99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
