Public Access to Records in Oracle UCM Can Make Web Sites Vulnerable
I was recently surprised to find a lot of companies running Oracle UCM systems that were exposed in a way that someone could hijack the website. We were looking for documents related to generic properties forms on the internet and quickly found 4 large government and corporate companies with systems left wide open with material relating to their websites. We logged on as a guest user and we could have deleted the web content or checked out the content and checked in new content giving us control of what is on their websites. I was able to get the emails of the contributors from the system and emailed them to let them know that they need to lock down their site. It was interesting that I never got a response from any of the people and that the web sites are still exposed. When mixing critical business content and public access you can’t take security and rights issues lightly. In this case, a simple checkbox can make the difference between fast access to important ECM records and becoming a victim of HTML theft.
I’m shocked to hear that none of the contacted companies have responded back with even the remotest possibility of having their website hijacked. The above examples are but a few of the possibilities, with deleting a site or completely altering the content of a site being the most visible, of the damage that could occur. There are even more subtle forms of web vandalism which would be far harder to realize until after the damage was done.
The searches for the generic property forms were but one way to gain access to the system. All that the forms searches were doing was giving the URL to UCM’s Content Management Pages for the submitted content. Anyone can access these pages if they know the URL, and are logged in as the “Guest” user. Once in the system, the guest user has full rights to search all of the documents that are within the security group of “Public”, and unless their access is restricted they can delete, check out, and check in any content they come across.
The “Guest” account need to have read access in order for your web pages to be visible to the outside world, but the “Guest” doesn’t need write and delete access.