Multiple Vulnerabilities in EASY Enterprise DMS

Multiple Vulnerabilities in EASY Enterprise DMS

• Stored XSS
• XSS
• Content Injection / Phishing through Frames
• Unauthorized access to files
• Unauthorized manipulation of data
  Date: 25.03.2010

EASY Enterprise is a widespread and popular document management system.
Release version 6.0f (Nov 24 2009 #1752) has been found vulnerable to multiple attacks, which affect the
integrity and confidentiality of stored content, as well as a compromise of multitenancy.

• XSS, CI / Phishing
  File: epctrl.jsp
  Parameter: login
  Parameter: lng
  Parameter: dsn

File: dlc_printLB.jsp
Parameter: dlcFileId

• Stored XSS
  In file upload function, parameter filename. No further example will be provided.

• Unauthorized access to files
  By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the
  user has no rigths on.

in Addition by guessing values for parameters dlcDocumentId and dlcFileId an unprivileged user is able to
download any file stored in the application.

• Unauthorized manipulation of data
  By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate
  stored data (document owner, upload user, document state, approval flag)

• Solution
  Contact the vendor for a patch or upgrade to version 1754 or higher.

• Credits

The vulnerabilities were discovered by Michael Mueller from Integralis
michael#dot#mueller#at#integralis#dot#com

• Timeline
  04.01.2010 - Vulnerabilities discovered
  04.01.2010 - Vendor contacted with details
  05.01.2010 - Initial vendor response with ACK and fix solution
  21.01.2010 - Additional vulnerabilities discovered
  22.01.2010 - Vendor contacted with details
  Up to date: No vendor response
  25.03.2010 - Public release