Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Control Vulnerability

Added: 08/19/2013
CVE: CVE-2013-1559
BID: 59122
OSVDB: 92386

Background

Oracle WebCenter Content is an open platform that allows users to create a vast range of content management applications. It consolidates unstructured content from across diverse systems so it can be centrally managed and then exposes it from within desktop productivity tools, business applications, and mobile devices.

Problem

Oracle WebCenter Content Server contains a flaw in the CheckOutAndOpen.dll ActiveX control which is triggered when user-controlled input is passed to the openWebdav method. An attacker who persuades a vulnerable user to open a specially crafted web page could execute arbitrary code in the context of the user.

Resolution

Apply the update referenced in Oracle Critical Patch Update Advisory - April 2013.

References

http://www.zerodayinitiative.com/advisories/ZDI-13-094/

Limitations

This exploit was tested against Oracle WebCenter Content 11.1.1.6.0 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

The user must open the exploit in Internet Explorer 8 or 9.

Platforms

Windows

Back to exploit index