# Application: Oracle WebCenter Sites (FatWire Content Server)
# Versions Affected: 7.x < 11gR1
# Vendor URL: http://oracle.com
# Bugs: Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x <
11gR1
# Sent:  18.12.2017
# Reported:  18.12.2017
# Date of Public Advisory: 14.04.2018
# Reference: Oracle Security Note S0932669
# Author: Richard Alviarez (SIA Group)


Description

1. #+# ADVISORY INFORMATION

Title: Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x <
11gR1
Advisory ID: S0932669
Risk: High
Date published: 15.04.2018
Vendors contacted: Oracle


2. #+# VULNERABILITY INFORMATION

Class: Authorization
Impact: Information leakage
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2018-2791

CVSS Information
* CVSSv3 Base Score: 8.2
* CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N


3. #+# VULNERABILITY DESCRIPTION

 The backend of the Content Server is prone to permanent and reflected
 Cross-Site Scripting attacks. The vulnerability can be used to include
 HTML- or JavaScript code to the affected web page. The code is executed
 in the browser of users if they visit the manipulated site.
 The vulnerability can be used to change the contents of the displayed
site,
 redirect to other sites or steal user credentials. Additionally, Portal
 users are potential victims of browser exploits and JavaScript Trojans.



4. #+# VULNERABLE PACKAGES

Multiple XSS Oracle WebCenter Sites (FatWire Content Server) 7.x < 11gR1

Other versions are probably affected too, but they were not checked.


5. #+# SOLUTIONS AND WORKAROUNDS

To fix the vulnerability, upgrade to version.


6. #+# AUTHOR

Richard Alviarez  (SIA Group)


7. #+# TECHNICAL DESCRIPTION

A possible attacker can take advantage of the vulnerability to inject
javascript code
in order to perform several attack vectors, such as identity theft (cookie
theft), redirection
to malicious external sites, phishing attacks among others.


Steps to exploit this vulnerability


1. Open https://WEB/servlet/Satellite?c=Noticia&cid={ID}&pagename=
OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=
eee%22%3E%3Cscript%3Ealert(123)%3C/script%3E%3C
<https://WEB/servlet/Satellite?c=Noticia&cid=%7BID%7D&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C>

Note: {ID} Change for ID to site example (1362484193835)

Other vulnerable parameters:

 2. servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/
Gator/FlexibleAssets/AssetMaker/confirmmakeasset&
cs_imagedir=eee"<scriptalert(document.cookie)</script


 3. servlet/Satellite?destpage="<h1xxx<scriptalert(1)</script&
pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError



#+# Collaborators

- CuriositySec
- Victor
- Vis0r
- Oxd0m7