Public Access to Records in Oracle UCM Can Make Web Sites Vulnerable
I was recently surprised to find a lot of companies running Oracle UCM systems that were exposed in a way that someone could hijack the website. We were looking for documents related to generic properties forms on the internet and quickly found 4 large government and corporate companies with systems left wide open with material relating to their websites. We logged on as a guest user and we could have deleted the web content or checked out the content and checked in new content giving us control of what is on their websites. I was able to get the emails of the contributors from the system and emailed them to let them know that they need to lock down their site. It was interesting that I never got a response from any of the people and that the web sites are still exposed. When mixing critical business content and public access you can’t take security and rights issues lightly. In this case, a simple checkbox can make the difference between fast access to important ECM records and becoming a victim of HTML theft.