Another D2 ESA

Short and sweet: By exploiting this vulnerability, remote unauthenticated users may download any document from the Docbase by knowing only the r_object_id of that document.

Resolution: Upgrade to D2 v4.5 patch 15, or D2 v4.6 patch 03.

Here is the link:  ESA-2016-108: EMC Documentum D2 Authentication Bypass Vulnerability

 

D2 and Google Charts

I saw this 3-part tutorial on the EDN this week discussing how to integrate Google Charts with D2 and thought it was worth sharing.  See what you think.

 

D2 Config Object Migrator

One of the big changes in D2 v4.6 was a change in the object hierarchy for the D2 config objects.  These objects now inherit from dm_sysobject so they can be protected with ACLs.  For new installs of D2 v4.6 there is no migration necessary; however, to upgrade D2 v4.5, your current configs must be “migrated” to new config object types.  EMC published a whitepaper, Documentum D2 4.6 Config Object Model Change and Migration, detailing this process using their migration tool, D2-Config-Migrator (packaged with D2 v4.6 download), to accomplish the feat.  In all, 71 types are migrated (they are listed in the whitepaper).  Good luck!

 

 

 

ESA for Documentum D2 Configuration Object Vulnerability

EMC has issued ESA-2016-034: EMC Documentum D2 Configuration Object Vulnerability.

Prior to EMC Documentum D2 4.6, many D2 Configuration object types were not properly protected with ACLs. As a result, an authenticated but unprivileged user could then modify or delete such objects.

EMC recommends that all customers upgrade to D2 4.6 at the earliest opportunity.

Really… that’s all it says.

UPDATE:  See an explanation of the vulnerability and the fix from Yuri Simione.

D2 v4.6 Available

In case you missed it last week, EMC announced the availability of D2 v4.6.  The most significant enhancement is the D2 REST API.  See the announcement here with more details.

D2 v4.5 Inbox Widget — Part 2

In my previous post, I provided an overview of my D2 Inbox widget design.  In this post I will discuss the JavaScript code required to maintain the freshness of the login ticket.  The JavaScript and OpenAjaxHub for the Inbox widget work essentially the same as they did for the D2 DQL Editor widget, with the exceptions discussed below.

As with the D2 DQL Editor widget, a ticket is generated when the JSP page initially loads.  This ticket is consumed by the query that immediately updates the page with the list of notifications in the user’s Inbox.  When a user clicks the subject of a notification to view its details, another query is generated to retrieve those details from the Docbase.  This means another ticket is required to login to the Docbase and run the query, which means the JavaScript must publish another D2_ACTION_DM_TICKET_GENERATE message.  Recall that the callback function for the message subscription event is onNewTicket().  In the D2 DQL Editor widget, this function immediately called the servlet to run the query.  With the D2 Inbox widget, a set of states are defined (INIT, UPDATE, DETAILS) that determine how the onNewTicket() responds once it has received the new ticket.  See the code snippet below.


function onNewTicket(event, oMessage) {
  ticket = oMessage.get("ticket");

  if (inBoxState === INIT) {
    inBoxEvent = "";
    updateInbox();
  }

  if (inBoxState === UPDATE) {
    inBoxEvent = "";
    updateInbox();
  }

  if (inBoxState === DETAILS) {
    inBoxEvent = "";
    doShowItemDetail();
  }
}

The INIT state is set when the page first loads.  The result of this state is that the page of Inbox notifications is built.  The UPDATE state is set upon the closing of the Inbox Notification Details pop-up window.  When the pop-up closes, the Inbox notifications list is refreshed — one could have been deleted from the Details page.  The DETAILS state is set when a user clicks a link to view the details of a notification.  When the onNewTicket() function identifies a DETAILS state, it calls doShowItemDetail() to display the notification’s details.  More of the JavaScript is displayed below.

updateInbox()

The updateInbox() function calls the D2QueryInboxServlet servlet to run the query to display the Inbox notifications.  It inserts the username, ticket, and Docbase name into a URL string and uses AJAX to call the servlet. Here is the most interesting snippet of that code.


var  xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");

// do AJAX
xmlhttp.onreadystatechange = function () {
  if (xmlhttp.readyState === 4 && xmlhttp.status === 200) {
    document.getElementById("InboxTable").innerHTML = xmlhttp.responseText;
  }
};

xmlhttp.open("POST", "D2InboxQueryServlet", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send("user=" + user + "&docbase=" + docbase + "&ticket=" + ticket);

showItemDetail()

The showItemDetail() function is called when a user clicks on the subject of an Inbox notification.  The URL built for each notification on the page, calls this function and passes the r_object_id of the corresponding dmi_queue_item.  You can see the function sets the inBoxState variable to DETAILS and requests a new ticket.  Once the new ticket is received by the onNewTicket() function, the doShowItemDetail() method is called to present the pop-up.


function showItemDetail(objId) {
  objectId = objId;
  inBoxState = DETAILS;
  publishNewTicketRequest();
}

doShowItemDetail()

The doShowItemDetail() function pops open the window containing the details for the selected Inbox item.  Clicking the link opens the InboxDetail.jsp page, which uses Java and AJAX.

function doShowItemDetail() {
  var url = "InboxDetail.jsp?itemId=" + objectId + "&user=" + user + "&docbase=" + docbase + "&ticket=" + ticket;
  window.open(url, 'newwindow', config = 'height=400,width=500, toolbar=no, menubar=no, scrollbars=yes, resizable=no,location=no, 
    directories=no,   status=no');
  objectId = "";
}

onDetailsClose()

This function is called when the Details pop-up window closes.  It sets the inBoxState to UPDATE and requests a new ticket.  When a new ticket is received, the list of Inbox notifications is refreshed.

function on_DetailsClose() {
  inBoxState = UPDATE;
  publishNewTicketRequest();
}

In summary, this isn’t a very complicated widget.  The primary difference between this widget and the D2 Query Editor widget is the necessity to refresh the tickets and to react differently depending upon the inBoxState state variable.  I hope you find this widget useful and use it as a foundation for building your own D2 external widgets.

You can download the D2 Inbox WAR file here.

D2 v4.5 Inbox Widget — Part 1

Building on the success of the D2 DQL Editor external widget, I embarked on building a D2 external widget to fill another gap in D2 capability:  the Inbox.  My D2 Inbox external widget mimics the Webtop Inbox node for notifications (see figure).  This widget used the same framework I established in the D2 DQL Editor widget, but required some additions to the JavaScript code to handle some unique login ticket issues.

D2InboxDetail
Let’s walk through the design before we jump into the code; please refer to the figure below.

D2InboxDesignWidget Initialization (green line)

The Inbox widget is initialized when the D2 tab containing it is activated.  Upon activation, D2 loads D2Inbox.jsp, which fires off a series of JavaScript methods and AJAX calls.  First, JavaScript parses the URL query string to retrieve the user name and Docbase name passed in by D2 (this is configured in D2-Config).  Next, the OpenAjaxHub is instantiated and registered to listen for the D2_EVENT_DM_TICKET_GENERATED message, and immediately requests a login ticket.  Once the ticket arrives, an AJAX call is made to the D2InboxQueryServlet to build the Inbox page.

Inbox Message Details (red line)

When an Inbox notification is clicked, its details are displayed in a pop-up window (InboxDetail.jsp).  A new ticket is requested from the OpenAjaxHub and then passed to an AJAX call to login to the Docbase and retrieve the message details.   Note a new ticket is required to login because the previous ticket was used to generate the Inbox page, and is now invalid.  More about tickets and ticket management later.  The D2InboxDetailQueryServlet builds the pop-up window containing the message details.

Delete Inbox Message (blue line)

From the message detail pop-up, the user can delete the message from the Inbox.  The delete is performed by the D2InboxDeleteQueueItemServlet, and upon its completion, closes the pop-up window and refreshes the Inbox.

Close Inbox Message Details (brown line)

Closing the Inbox message details pop-up simply returns the user to the Inbox page (no refresh).

In the next post I will discuss the details of managing tickets and configuring the widget in D2-Config.  You can download the D2 Inbox WAR file here.

D2 ETA for Read-Only Operations

There is an interesting new ETA for D2:  ETA 208101: Documentum D2: Attempts to run content operations with read-only permissions may result in potential data loss.  It seems that a previous Content Server security patch (v7.1 P18 and v7.2 P02) shored up the security of the dmr_content object but disabled the following operations in D2:

  • Sending documents to workflows.
  • Creating new content based on templates.
  • Restoring objects from the D2 Recycle Bin (D2-Bin).
  • Applying Virtual Document templates.
  • Applying inheritance when creating new content.

Opps!  I’m guessing some of these operations are important to a lot D2 implementations.

If you are running D2, EMC advises NOT to install Content Server patch  v7.1 P18 and v7.2 P02 (or later) until a patch is available for D2 v4.2 or v4.5.

D-Top D2 Starter Project

Checkout the D2 starter project I just published over on Armedia’s blog.

D-Top-1

You can download the project here.

D2 v4.5 DQL Editor Widget – Part 4

In the last post of this series I will discuss how to install and configure the D2 DQL Editor external widget. To recap:

  • Part 1 – overview of widget design,
  • Part 2 – discussion of JavaScript and OpenAjaxHub implementation,
  • Part 3 – discussion of Java servlet to run query and format results.

Installation and configuration of the D2 DQL Editor widget occurs in three easy steps:

  1. First, install the D2DQL.war file on your application server (I only tested with Tomcat). The WAR should contain all of the necessary DFC, dmRecordSet, and DCTMBasics JARs (in /WEB-INF/lib), in addition to the DQLQueryServlet.class class file, D2DQLEditor.jsp JSP file, and DQL.css style sheet.  The directory structure should look like this:
    • ../webapps/D2DQL
      • D2DQLEditor.jsp
      • /META-INF
      • /resources
        • DQL.css
        • D2-OAH.js
        • OpenAjaxManagedHub-all.js
      • /WEB-INF
        • /lib
          • aspectjrt.jar
          • certFIPS.jar
          • commons-lang-2.4.jar
          • DCTMBasics.jar
          • dfc.jar
          • dmRecordSet.jar
          • jsafeFIPS.jar
          • log4j.jar
        • /classes/com/dm_misc/D2
          • DQLQueryServlet.class
  2. In D2-Config, configure a new widget using the settings below (you may need to adjust the URL for your environment).  See the EMC Documentum D2 v4.5 Administration Guide for details on configuring new widgets D2 configurations.
    • Name:  D2DQL
    • Label and Description:  D2DQL
    • Widget Type: ExternalWidget
    • Widget URL:  http://localhost:8080/D2DQL/D2DQLEditor.jsp?user=$USER&docbase=$DOCBASE
    • Bi-directional Communications:  checked
    • Communication Channels:  D2_ACTION_DM_TICKET_GENERATE

D2DQL-D2-Config

  1. Configure the D2DQL widget on a D2 workspace and configure it in the Configuration Matrix appropriately.

Login to D2, open your workspace, and run a query.

D2DQLEditor

You can download the WAR file and all of the source code for the D2 DQL Editor here.

I hope this series of blog posts on building the D2 DQL Editor have been valuable to you.  I find the widget itself useful and the experience of developing it incredibly valuable.  I hope to build additional D2 external widgets using this model in the future.

Leave me a comment, I’d be happy to hear your thoughts.

%d bloggers like this: