Easy Enterprise DMS Cross Site Scripting / Unauthorized Access

`------------------------------------------------  
  
Multiple Vulnerabilities in EASY Enterprise DMS  
- Stored XSS  
- XSS  
- Content Injection / Phishing through Frames  
- Unauthorized access to files  
- Unauthorized manipulation of data  
Date: 25.03.2010  
  
------------------------------------------------  
  
EASY Enterprise is a widespread and popular document management system.  
Release version 6.0f (Nov 24 2009 #1752) has been found vulnerable to multiple attacks, which affect the integrity and confidentiality of stored content, as well as a compromise of multitenancy.  
  
- XSS, CI / Phishing  
File: epctrl.jsp  
Parameter: login  
Parameter: lng  
Parameter: dsn  
  
File: dlc_printLB.jsp  
Parameter: dlcFileId  
  
  
- Stored XSS  
In file upload function, parameter filename. No further example will be provided.  
  
- Unauthorized access to files  
By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the user has no rigths on.  
  
in Addition by guessing values for parameters dlcDocumentId and dlcFileId an unprivileged user is able to download any file stored in the application.  
  
- Unauthorized manipulation of data  
By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate stored data (document owner, upload user, document state, approval flag)  
  
  
- Solution  
Contact the vendor for a patch or upgrade to version 1754 or higher.  
  
- Credits  
  
The vulnerabilities were discovered by Michael Mueller from Integralis  
michael#dot#mueller#at#integralis#dot#com  
  
- Timeline  
04.01.2010 - Vulnerabilities discovered  
04.01.2010 - Vendor contacted with details  
05.01.2010 - Initial vendor response with ACK and fix solution  
21.01.2010 - Additional vulnerabilities discovered  
22.01.2010 - Vendor contacted with details  
Up to date: No vendor response  
25.03.2010 - Public release  
`