Webtop 6.8 EAP available

ftp://ftp.documentum.com/Hotfixes/KnowledgeWorker/Webtop/6.8_RC/

Main changes:

  • EMC added a paragraph about dmc_wdk_presets_owner and dmc_wdk_preferences_owner accounts in WDK deployment guide (poor xcp and d2 customers – they will never know about these dangerous accounts)
  • Bundled JRE 1.7u51 – weird choice: 1.7u51 is not supported in previous webtop releases
  • EMC gave up an idea to audit webtop code for potential vulnerabilities: previous webtop fixes denied direct access (i.e. through specific url) to certain components:

    -bash-4.1$ grep -r 'url-addressable-disabled' *| \
    > grep '.xml' |sed -e 's/:.*//'|sort -u|xargs -n1 basename
    actiondispatcher_component.xml
    dm_query_actions.xml
    httpcancelcheckoutcontainer_component.xml
    savedocument_component.xml
    unassignqueuedtask_component.xml
    addvirtualdocumentnode_component.xml
    addvirtualdocumentnodefromclipboard_component.xml
    removevirtualdocumentnodecontainer_component.xml
    taskcomponentcontainer_component.xml
    search60_component.xml
    

    now only certain components are allowed for direct access:

    -bash-4.1$ grep -r 'url-addressable-enabled' *| \
    > grep '.xml' |sed -e 's/:.*//'|sort -u|xargs -n1 basename
    drl_component.xml
    errormessage_component.xml
    getcontent_component.xml
    httpmultifiledownload_component.xml
    residentucfinvoker_component.xml
    virtuallinkconnect_component.xml
    api_component.xml
    dql_component.xml
    viewcontainer_component.xml
    dqleditor_component.xml
    getmessagearchiveattachment_component.xml
    imagepicker_component.xml
    insertlink_component.xml
    spellchecker_component.xml
    searchmonitoring_component.xml
    vdmlist_component.xml
    about_component.xml
    loginex_component.xml
    logoff_component.xml
    mainex_component.xml
    messagebar_component.xml
    titlebar_component.xml
    

    Unfortunately, webtop 6.8 is still vulnerable to XSRF attacks.

One thought on “Webtop 6.8 EAP available

  1. Pingback: I perceive the world: response.sendRedirect(String location) | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s