Multiple Vulnerabilities in EASY Enterprise DMS

Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! ------------------------------------------------

Multiple Vulnerabilities in EASY Enterprise DMS
-Stored XSS
-XSS
-Content Injection/Phishing through Frames
-Unauthorized access to files
-Unauthorized manipulation of data
Date: 25.03.2010

------------------------------------------------

EASY Enterprise is a widespread and popular document management system.
Release version 6.0f (Nov 24 2009 #1752) has been found vulnerable to multiple attacks, which affect the integrity and
Confidentiality of stored content, as well as a compromise of multitenancy.

-XSS, CI/Phishing
File: epctrl. jsp
Parameter: login
Parameter: lng
Parameter: dsn

File: dlc_printLB.jsp
Parameter: dlcFileId

-Stored XSS
In file upload function, parameter filename. No further example will be provided.

-Unauthorized access to files
By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the user has no
Rigths on.

In Addition by guessing values for parameters dlc1_entid and dlcFileId an unprivileged user is able to download any
File stored in the application.

-Unauthorized manipulation of data
By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate stored data
(Document owner, upload user, document state, approval flag)

-Solution
Contact the vendor for a patch or upgrade to version 1754 or higher.

-Credits

The vulnerabilities were discovered by Michael Mueller from Integrator
Michael # dot # mueller # at # integrate# dot # com

-Timeline
04.01.2010-Vulnerabilities discovered
04.01.2010-Vendor contacted with details
05.01.2010-Initial vendor response with ACK and fix solution
21.01.2010-Additional vulnerabilities discovered
22.01.2010-Vendor contacted with details
Up to date: No vendor response
25.03.2010-Public release //