EMC Document Sciences xPression contains multiple vulnerabilities

Overview

EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain path traversal, SQL injection, cross-site scripting (XSS), open redirect, and cross-site request forgery (CSRF) vulnerabilities.

Description

EMC Document Sciences xPression 4.2 Patch 16 and possibly earlier versions contain the following vulnerabilities in the xAdmin and xDashboard applications:

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) - CVE-2013-6177

The xDashboard application allows unauthorized users to read arbitrary files from the file system using the model.logFileName parameter of the /xDashboard/html/jobhistory/jobLogDisplay.action file.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) - CVE-2013-6176

The xAdmin application has multiple parameters that are susceptible to SQL injection attacks from an unauthorized user.

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross Site Scripting’) - CVE-2013-6175

The xAdmin application is vulnerable to a stored cross-site scripting attack through the marker_name parameter of the /xAdmin/html/op_xp_marker_gen.jsp file. Additionally, both the xAdmin and xDashboard applications are vulnerable to reflected cross-site scripting attacks through numerous parameters in each application.

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) - CVE-2013-6174

The xAdmin application contains multiple files with a vulnerable redirectURL parameter.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-6173

The xAdmin and xDashboard applications do not implement a mechanism to prevent cross-site request forgery attacks on input forms. It was reported that Document Sciences xPression version 4.2 Patch 16 and possibly earlier versions are affected by this vulnerability. EMC has stated that this vulnerability exists in version 4.2 before Patch 26 and version 4.5 before Patch 05, but does not exist in versions 4.1.x.

The CVSS score reflects the path traversal vulnerability (CVE-2013-6177).

---

Impact

An attacker may be able to read files from the filesystem, read or modify data in the application database, execute arbitrary scripts in the context of a victim’s browser, redirect users to other websites, and forge requests on behalf of the victim.

---

Solution

Apply an Update

The vendor has released an update to address these vulnerabilities. Affected users are advised to apply one of the following updates:

* EMC Document Sciences xPression 4.1 SP1 Patch 47 and later 
* EMC Document Sciences xPression 4.2 Patch 26 and later 
* EMC Document Sciences xPression 4.5 Patch 05 and later

EMC has released a security advisory addressing these issues.

Vendor Information

346982

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

EMC Corporation __ Affected

Notified: July 12, 2013 Updated: November 27, 2013

Status

Affected

Vendor Statement

The vendor has issued a security advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.emc.com/index.htm&gt;

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:N/AC:L/Au:S/C:C/I:N/A:N
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	1.3	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://seclists.org/bugtraq/2013/Nov/att-94/ESA-2013-078.txt&gt;
• <http://www.emc.com>

Acknowledgements

Credit goes to Verizon Enterprise Solutions - Threat and Vulnerability Management (GCIS) For Discovery: Sertan Kolat and Omer CoskunFor Analysis and coordination: Thierry Zoller

This document was written by Todd Lewellen.

Other Information

CVE IDs:	CVE-2013-6173, CVE-2013-6174, CVE-2013-6175, CVE-2013-6176, CVE-2013-6177
Date Public:	2013-11-20 Date First Published: