lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Nov 2017 10:37:02 +0200
From: Graham Leggett <>
Subject: [CVE-2017-15044] DocuWare FullText Search - Incorrect Access Control

Hash: SHA256

CVE-2017-15044: DocuWare FullText Search - Incorrect Access Control vulnerability

Severity: High

- ------------------------------------------


DocuWare Europe GmbH
Therese-Giehse-Platz 2 82110 Germering Germany

- ------------------------------------------


The default installation of DocuWare FullText Search server allows remote
users to connect to and download and or modify all searchable text from
the embedded Solr service, bypassing DocuWare's access control features of
the DocuWare user interfaces and API. The vulnerability can be exploited
remotely, and allows both escalation of priviledges and information

- ------------------------------------------

Additional Information:

Based on the manual at the
default behaviour of DocuWare is as follows:

"This shows the URL and the address of the Tomcat server that you are
using for the full text in DocuWare. The URL of the connection set up
by the system by default is "http://<hostname<:9013"."

This default behaviour binds the embedded Solr server to the external
network interface of the machine, and exposes all data to any HTTP client
able to connect without access control or data security.

While the manual makes reference to port 9013, the vulnerability was
discovered in a server bound to port 9012 instead.

- ------------------------------------------


To mitigate the issue, modify the server.xml file in the embedded Tomcat
server that hosts Docuware Fulltext Search, and add address="localhost"
to the container entries as follows:

- --- server.xml-orig	2017-11-19 22:33:55.049241032 +0200
+++ server.xml	2017-11-19 22:33:19.307923621 +0200
@@ -66,7 +66,7 @@
          APR (HTTP/AJP) Connector: /docs/apr.html
          Define a non-SSL HTTP/1.1 Connector on port 8080
- -    <Connector port="9012" protocol="HTTP/1.1"
+    <Connector port="9012" address="localhost" protocol="HTTP/1.1"
                redirectPort="8443" />
     <!-- A "Connector" using the shared thread pool-->
@@ -88,7 +88,7 @@
     <!-- Define an AJP 1.3 Connector on port 8009 -->
- -    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    <Connector port="8009" address="localhost" protocol="AJP/1.3" redirectPort="8443" />
     <!-- An Engine represents the entry point (within Catalina) that processes

For more complex deployments where limiting the client to localhost is
not an option, see the Apache Tomcat manual on valve configuration as follows:

While placing the Docuware FullText Search Server behind a firewall may have offered
some mitigation against this vulnerability, care must be taken to ensure that:

- - The firewall blocked ports 9012/9013 and 8009;
- - From the internet; and
- - From users inside a corporate or internal network; and
- - From other server machines, routers and any other devices that share the
same network as Docuware Fulltext Search.

It is prudent to assume that a typical firewall installation does not follow
all of the requirements above, and to assume that all installations are
therefore potentially vulnerable.

- ------------------------------------------

Vulnerability Type:

Incorrect Access Control.

- ------------------------------------------

Affected Product Code Base
DocuWare - 6.9

Appears to affect all versions in v6.x, including the most recent 6.11.

- ------------------------------------------

Affected Component:

DocuWare FullText Search

- ------------------------------------------

Attack Vectors:

To exploit the vulnerability, the attacker needs to point a web
browser at the embedded DocuWare Fulltext Search server Solr application on
the exposed port (9012/9013) and path (/solrt).

ALternatively, port 8009 exposes the same service via the AJP protocol.
Configure a reverse proxy to translate AJP into HTTP and use a web browser
to view the data as described above.

The full contents of the Docuware FullText Search server can be browsed,
downloaded, modified or deleted using the Solr administration interface.

- ------------------------------------------


- ------------------------------------------

Disclosure Timeline:

2017-09-30: Vendor disclosure.
2017-10-05: CVE issued.
2017-10-24: Vendor acknowledgement of the security hole with Docuware internal bug
number 203945, but no commitment for a fix: "Therefore we can’t specify any
date or timeframe on which you can expect the problem to be fixed I’m
2017-10-25: Request for an arrangement for coordinated disclosure, request
escalated internally, however request ignored.
2017-11-03: Second request for an arrangement for coordinated disclosure,
request escalated internally again, however request ignored again.
2017-11-20: Full disclosure with details of mitigation.

- ------------------------------------------


Graham Leggett <minfrin sharp fm>

Version: GnuPG/MacGPG2 v2
Comment: GPGTools -


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3240 bytes)

Powered by blists - more mailing lists