Title: OpenText Documentum Administrator and Webtop - XML External Entity Injection Author: Jakub Palaczynski, Pawel Gocyla Date: 24. September 2017 CVE (Administrator): CVE-2017-14526 CVE (Webtop): CVE-2017-14527 Affected software: ================== Documentum Administrator Documentum Webtop Exploit was tested on: ====================== Documentum Administrator version 7.2.0180.0055 Documentum Webtop version 6.8.0160.0073 Other versions may also be vulnerable. XML External Entity Injection - 4 instances: ============================================ Please note that examples below are for Documentum Administrator, but the same exploitation takes place in Webtop. This vulnerability allows for: - listing directories and retrieving content of files from the filesystem - stealing hashes of user that runs Documentum (if installed on Windows) - DoS 1. Instance 1 and 2: Authenticated users can exploit XXE vulnerability by browsing "Tools > Preferences". It generates request to /xda/com/documentum/ucf/server/transport/impl/GAIRConnector which contains two XML structures. Both accept DTD and parse it which allows exploitation. 2. Instance 3: Authenticated users can exploit XXE vulnerability by using "File > Import". Users can import XML files and use "MediaProfile" to open file which triggers vulnerability. 3. Instance 4: Authenticated users can exploit XXE vulnerability by using "File > Check In". Users can use XML check in file and use "MediaProfile" to open it which triggers vulnerability. Fix: ==== https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com pawellgocyla[at]gmail[dot]com