SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Documentum Vendors:  EMC
EMC Documentum 'dmclTrace.jsp' Bug Lets Remote Users Upload Arbitrary Files and Execute Arbitrary Code
SecurityTracker Alert ID:  1019305
SecurityTracker URL:  http://securitytracker.com/id?1019305
CVE Reference:  CVE-2008-0656   (Links to External Site)
Updated:  Feb 17 2008
Original Entry Date:  Feb 5 2008
Impact:  Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): Administrator version 5.3.0.313, Webtop version 5.3.0.317
Description:  Pablo Gaston Milano of CYBSEC reported a vulnerability in EMC Documentum Administrator and Documentum Webtop. A remote user can upload arbitrary files and then execute arbitrary code on the target system.

A remote user supply a specially crafted filename parameter to the 'dmclTrace.jsp' page to upload a file with arbitrary contents and overwrite a file on the target system. The remote user can then cause the application server to execute the file.

The vendor was notified on December 17, 2007.

The original advisory is available at:

http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_Documentum_dmclTrace_Arbitrary_file_ov erwrite.pdf
Impact:  A remote user can upload arbitrary files and then execute arbitrary code on the target system.
Solution:  The vendor has issued a fixed version (SP4).
Vendor URL:  www.documentum.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (2003)
Reported By:  CYBSEC Advisories <advisories@cybsec.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 05 Feb 2008 15:56:33 -0300
From:  CYBSEC Advisories <advisories@cybsec.com>
Subject:  CYBSEC Security Advisory: Arbitrary file overwrite in Documentum


 
The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_Documentum_dmclTrace_Arbitrary_file_overwrite.pdf

 
 
Advisory Name: Arbitrary file overwrite in Documentum Administrator / Documentum Webtop
==============
 
 
Vulnerability Class: Arbitrary file overwrite
====================
 
 
Release Date: 2008-02-05
=============
 
 
Affected Applications:
======================
* Documentum Administrator version 5.3.0.313
* Documentum Webtop version version 5.3.0.317
* Other applications and versions may also be affected
 
 
Affected Platforms:
===================
* Windows 2003 Server - Standard Edition
* Apache Tomcat 5.0.28
* Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04)
* Other platforms may also be affected
 
 
Local / Remote: Remote
===============
 
 
Severity: High
=========
 
 
Author:  Pablo Gaston Milano
=======
 
 
Vendor Status: Confirmed. Updates Released.
==============
 
 
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
=============================================
 
 
Vulnerability Description:
==========================
 
Documentum Administrator and Documentum Webtop were found to be vulnerable to arbitrary file overwrit
e, by specifying an arbitrary filename attribute
to the “dmclTrace.jsp” page. It is also possible to control the contents of the overwritten file, whi
ch could allow the remote upload and execution of
arbitrary code in the context of the user running the application server.
 
 
Impact:
=======
Exploitation of this vulnerability would allow an attacker to overwrite arbitrary files on the server
 filesystem. This could be used to upload and
execute arbitrary code in the context of the user running the application server.
 
 
Solution:
=========
The vendor reported that this vulnerability was fixed in SP4 and later.
 
 
Vendor Response:
================
. 2007-12-17: CYBSEC contacted Vendor.
. 2007-12-17: Vendor first response.
. 2008-01-04: Vendor confirmed vuln is fixed in latest SP.
. 2008-01-30: CYBSEC informed the vendor the disclosure plan.
. 2008-02-05: Advisory Public Disclosure.
 
 
Contact Information:
====================
For more information regarding the vulnerability feel free to contact the researcher at pmilano <a
t> cybsec <dot> com.
 
 
 
About  CYBSEC S.A. Security Systems
-----------------------------------
 
Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services specialized in Compute
r Security. More than 150 clients around the
globe validate our quality and professionalism.
To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other softw
are and/or hardware provider companies.
Our services are strictly focused on Information Security, protecting our clients from emerging secur
ity threats, mantaining their IT deployments
available, safe, and reliable.
Beyond professional services, CYBSEC is continuosly researching new defense and attack techiniques an
d contributing with the security community with
high quality information exchange.
	
For more information, please visit www.cybsec.com
 
(c) 2008 - CYBSEC S.A. Security Systems


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC