Interesting things about ECM


SQL injection vulnerability for Oracle UCM (Stellent) 7.5 and prior

Filed under: Oracle UCM, Vulnerability — Tags: , , — Anthony Fast @ 1:46 pm



Second finding in Metalink was an exploit in the CMS from Stellent (aka Oracle Universal Content Management), aquired by Oracle in 2007. Publishing exploits with customer URLs is a bad style…


Note 733017.1  from October 2008 says:
Version 6.2 of the Content Server has an SQL injection vulnerability.

Oracle was so nice to publish the exploit pointing to a customer site.

Scurity consultant report states:

Severity: 5
Port: 80
Name: SQL injection
Description: “An SQL injection vulnerability was identified in the following page:****&dID=1%20and%20convert

The back-end version return was ‘Microsoft SQL Server 2000 -8′</blockquote>”

– Business Impact:
Potential security threat

This is a known bug/issue with 7.5 and prior. (internal bug p51038621)


Good to know that SQL Injection is just a potential security threat…

Oracle removed note 733017.1 from Metalink.

Create a free website or blog at