WDK Vulnerabilities Prior To Webtop 6.8

There is just enough time left in 2014 to slip in one more ESA:  ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities.  As the title implies, this ESA addresses vulnerabilities that exist in ALL VERSIONS of WDK-based clients prior to Webtop 6.8 (by release date).  These clients include:

  • Webtop 6.7 SP2 and earlier;
  • Documentum Administrator 7.1 and earlier;
  • Records Client 6.7 SP2 and earlier;
  • Digital Assets Manager 6.5 SP6 and earlier;
  • Web Publishers 6.5 SP7 and earlier;
  • Task Space 6.7 SP2 and earlier;
  • Engineering Plant Facilities Management Solution for Documentum 1.7 SP1 and earlier;
  • Capital Projects 1.9 and earlier.

The vulnerabilities include:

  •  Cross-Site Scripting – EMC Documentum WDK and WDK based clients may be affected by multiple cross-site scripting vulnerabilities that could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of malicious code in the context of the authenticated user.
  • Cross-Site Request Forgery – EMC Documentum WDK and WDK based clients may be affected by a cross-site request forgery vulnerability. An attacker can potentially exploit this vulnerability to trick authenticated users of the application to click on specially crafted links that are embedded within an email, web page, or other source and perform Docbase operations with that user’s privileges.
  • URL Redirection – EMC Documentum WDK and WDK based clients may be affected by a URL redirection vulnerability that may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the un-validated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter.
  • Frame Injection – EMC Documentum WDK and WDK based clients may be affected by a frame injection vulnerability. An attacker can potentially exploit this vulnerability to induce a user to navigate to a web page the attacker controls; the attacker’s page loads a third-party page in an HTML frame. This could result in the attacker stealing sensitive information.
  • Parameter Generated with Insufficient Randomness – EMC Documentum WDK and WDK based clients use a parameter that is being generated with insufficient randomness to reference Webtop components. An attacker can potentially exploit this vulnerability by predicting the parameter, helping the attacker to launch phishing attacks.

The only available resolution at the time of this writing is to upgrade Webtop to v6.8, it contains WDK 6.8 that resolves these issues.  However, Webtop 6.8 is the only application tested and certified to run with WDK 6.8, so until the other WDK-based clients are tested and certified, they remain vulnerable.  EMC will continue to update the ESA with additional resolutions.  Continue to check back.

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: