Wednesday, July 6, 2016

CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities

CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities

DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process. 

Remote Exploitation, no authentication required

Vendor Response: None

Vulnerability Findings

1. SQL Injection

DocuClass web application contains a SQL injection vulnerability.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

DocuClass web application contains a SQL injection vulnerability due to the application failing to validate user input. Multiple parameters are vulnerable.

Vulnerable URLs & parameters:


A: POST request
/dcrpcserver.php [parameter - uid]
---
Parameter: uid (POST)
    Type: boolean-based blind
    Title: PostgreSQL boolean-based blind - Parameter replace
    Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008

B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]

Impact
An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.

2. Access Control Flaws

DocuClass web application does not enforce strict access control.

PoC:
http://IP/medical_records/0000001337/0000000000123456.pdf

Dump all the documents with a bit of scripting.

Impact
An unauthenticated user can access all stored documents by directly calling the document url.

3. Cross-Site Scripting

DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.
/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]

Impact
An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.

4. Vulnerable to Cross-Site Request Forgery

The application does not have a CSRF Token generated per page and / or per (sensitive) function. 

Impact
Successful exploitation of this vulnerability can allow silent execution of unauthorized actions in the application such as configuration changes, potentially deleting stored documents, running reports, changing passwords, filling disk space via repeated duplicate copying of documents, etc.

+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.