OpenText Documentum Administrator / Webtop XXE Injection

2017.09.27
Risk: High
Local: No
Remote: Yes
CWE: N/A

Title: OpenText Documentum Administrator and Webtop - XML External Entity Injection Author: Jakub Palaczynski, Pawel Gocyla Date: 24. September 2017 CVE (Administrator): CVE-2017-14526 CVE (Webtop): CVE-2017-14527 Affected software: ================== Documentum Administrator Documentum Webtop Exploit was tested on: ====================== Documentum Administrator version 7.2.0180.0055 Documentum Webtop version 6.8.0160.0073 Other versions may also be vulnerable. XML External Entity Injection - 4 instances: ============================================ Please note that examples below are for Documentum Administrator, but the same exploitation takes place in Webtop. This vulnerability allows for: - listing directories and retrieving content of files from the filesystem - stealing hashes of user that runs Documentum (if installed on Windows) - DoS 1. Instance 1 and 2: Authenticated users can exploit XXE vulnerability by browsing "Tools > Preferences". It generates request to /xda/com/documentum/ucf/server/transport/impl/GAIRConnector which contains two XML structures. Both accept DTD and parse it which allows exploitation. 2. Instance 3: Authenticated users can exploit XXE vulnerability by using "File > Import". Users can import XML files and use "MediaProfile" to open file which triggers vulnerability. 3. Instance 4: Authenticated users can exploit XXE vulnerability by using "File > Check In". Users can use XML check in file and use "MediaProfile" to open it which triggers vulnerability. Fix: ==== https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com pawellgocyla[at]gmail[dot]com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top