lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47A8B1B1.3020800@cybsec.com>
Date: Tue, 05 Feb 2008 15:57:53 -0300
From: CYBSEC Advisories <advisories@...sec.com>
To: bugtraq@...urityfocus.com
Subject: CYBSEC Security Advisory: Arbitrary file overwrite in Documentum
 Administrator / Documentum Webtop

The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_Documentum_dmclTrace_Arbitrary_file_overwrite.pdf


Advisory Name: Arbitrary file overwrite in Documentum Administrator / Documentum Webtop
==============


Vulnerability Class: Arbitrary file overwrite
====================


Release Date: 2008-02-05
=============


Affected Applications:
======================
* Documentum Administrator version 5.3.0.313
* Documentum Webtop version version 5.3.0.317
* Other applications and versions may also be affected


Affected Platforms:
===================
* Windows 2003 Server - Standard Edition
* Apache Tomcat 5.0.28
* Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04)
* Other platforms may also be affected


Local / Remote: Remote
===============


Severity: High
=========


Author:  Pablo Gaston Milano
=======


Vendor Status: Confirmed. Updates Released.
==============


Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
=============================================


Vulnerability Description:
==========================

Documentum Administrator and Documentum Webtop were found to be vulnerable to arbitrary file overwrite, by specifying an arbitrary filename attribute
to the “dmclTrace.jsp” page. It is also possible to control the contents of the overwritten file, which could allow the remote upload and execution of
arbitrary code in the context of the user running the application server.


Impact:
=======
Exploitation of this vulnerability would allow an attacker to overwrite arbitrary files on the server filesystem. This could be used to upload and
execute arbitrary code in the context of the user running the application server.


Solution:
=========
The vendor reported that this vulnerability was fixed in SP4 and later.


Vendor Response:
================
. 2007-12-17: CYBSEC contacted Vendor.
. 2007-12-17: Vendor first response.
. 2008-01-04: Vendor confirmed vuln is fixed in latest SP.
. 2008-01-30: CYBSEC informed the vendor the disclosure plan.
. 2008-02-05: Advisory Public Disclosure.


Contact Information:
====================
For more information regarding the vulnerability feel free to contact the researcher at pmilano <at> cybsec <dot> com.



About  CYBSEC S.A. Security Systems
-----------------------------------

Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services specialized in Computer Security. More than 150 clients around the
globe validate our quality and professionalism.
To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies.
Our services are strictly focused on Information Security, protecting our clients from emerging security threats, mantaining their IT deployments
available, safe, and reliable.
Beyond professional services, CYBSEC is continuosly researching new defense and attack techiniques and contributing with the security community with
high quality information exchange.
	
For more information, please visit www.cybsec.com

(c) 2008 - CYBSEC S.A. Security Systems










Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ