lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100325141235.9584.qmail@securityfocus.com>
Date: 25 Mar 2010 14:12:35 -0000
From: michael.mueller@...egralis.com
To: bugtraq@...urityfocus.com
Subject: Multiple Vulnerabilities in EASY Enterprise DMS

------------------------------------------------

 Multiple Vulnerabilities in EASY Enterprise DMS
 - Stored XSS
 - XSS
 - Content Injection / Phishing through Frames
 - Unauthorized access to files
 - Unauthorized manipulation of data
 Date: 25.03.2010

------------------------------------------------

EASY Enterprise is a widespread and popular document management system.
Release version 6.0f (Nov 24 2009  #1752) has been found vulnerable to multiple attacks, which affect the integrity and confidentiality of stored content, as well as a compromise of multitenancy.

- XSS, CI / Phishing
File: epctrl.jsp
Parameter: login
Parameter: lng
Parameter: dsn

File: dlc_printLB.jsp
Parameter: dlcFileId


- Stored XSS
In file upload function, parameter filename. No further example will be provided.

- Unauthorized access to files
By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the user has no rigths on.

in Addition by guessing values for parameters dlcDocumentId and dlcFileId an unprivileged user is able to download any file stored in the application.

- Unauthorized manipulation of data
By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate stored data (document owner, upload user, document state, approval flag)


- Solution
Contact the vendor for a patch or upgrade to version 1754 or higher.

- Credits

The vulnerabilities were discovered by Michael Mueller from Integralis
michael#dot#mueller#at#integralis#dot#com

- Timeline
04.01.2010 - Vulnerabilities discovered
04.01.2010 - Vendor contacted with details
05.01.2010 - Initial vendor response with ACK and fix solution
21.01.2010 - Additional vulnerabilities discovered
22.01.2010 - Vendor contacted with details
Up to date: No vendor response
25.03.2010 - Public release

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ