SEC Consult Vulnerability Lab Security Advisory < 20131107-0 > ======================================================================= title: Multiple reflected cross-site scripting vulnerabilities product: EMC Documentum eRoom vulnerable version: 7.44 fixed version: 7.4.4 P11 CVE: CVE-2013-3286 impact: medium homepage: http://www.emc.com/products/detail/software2/eroom.htm found: 2012-08-20 by: V. Paulikas SEC Consult Vulnerability Lab https://www.sec-consult.com/ ======================================================================= Vendor description: ------------------- "EMC Documentum eRoom is easy-to-use online team collaboration software that enables distributed teams to work together more efficiently. With Documentum eRoom, teams around the world can accelerate document collaboration and group activities, improve the development and delivery of products and services, optimize collaborative business processes, improve innovation, and streamline decision-making." http://www.emc.com/products/detail/software2/eroom.htm Vulnerability overview/description: ----------------------------------- Documentum eRoom suffers from multiple reflected cross-site scripting vulnerabilities, which allow an attacker to steal other user's sessions, to impersonate other users and to gain unauthorized access to documents hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and gather all available documents. There are many parameters which are not properly sanitized and thus are vulnerable to XSS. Proof of concept: ----------------- 1) The "Referer" header is not properly validated and is thus prone to reflected cross-site scripting. Request: POST /eRoomASP/Connect.asp?Ctxt=&ERClickInMap=FALSE&command=btnDefault&SessionKey= HTTP/1.1 Host: localhost Referer: localhost/eRoomxss"> IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=&ERWindowName=eRw1343558275&LoginName=asd&Password=asd 2) The "User-Agent" header is not properly validated and is thus prone to reflected cross-site scripting. Request: GET /eRoomtest/diagVariables.asp HTTP/1.1 User-Agent: Host: localhost Other vulnerable header fields include "Connection" and "Accept-Language". Vendor contact timeline: ------------------------ 2012-10-09: Contacting vendor through security_alert@emc.com 2012-10-09: Vendor forwarded information to product team 2012-10-31: Vendor investigates reported issues 2013-07-16: Vendor will release the fixes of the issues with 7.4.4 SP1 in early Q2 2014 2013-11-13: Coordinated release of advisory Solution: --------- Upgrade to EMC Documentum eRoom version 7.4.4 P11. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF V. Paulikas / @2013