------------------------------------------------=0D
=0D
 Multiple Vulnerabilities in EASY Enterprise DMS=0D
 - Stored XSS=0D
 - XSS=0D
 - Content Injection / Phishing through Frames=0D
 - Unauthorized access to files=0D
 - Unauthorized manipulation of data=0D
 Date: 25.03.2010=0D
=0D
------------------------------------------------=0D
=0D
EASY Enterprise is a widespread and popular document management system.=0D
Release version 6.0f (Nov 24 2009  #1752) has been found vulnerable to multiple attacks, which affect the integrity and confidentiality of stored content, as well as a compromise of multitenancy.=0D
=0D
- XSS, CI / Phishing=0D
File: epctrl.jsp=0D
Parameter: login=0D
Parameter: lng=0D
Parameter: dsn=0D
=0D
File: dlc_printLB.jsp=0D
Parameter: dlcFileId=0D
=0D
=0D
- Stored XSS=0D
In file upload function, parameter filename. No further example will be provided.=0D
=0D
- Unauthorized access to files=0D
By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the user has no rigths on.=0D
=0D
in Addition by guessing values for parameters dlcDocumentId and dlcFileId an unprivileged user is able to download any file stored in the application.=0D
=0D
- Unauthorized manipulation of data=0D
By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate stored data (document owner, upload user, document state, approval flag)=0D
=0D
=0D
- Solution=0D
Contact the vendor for a patch or upgrade to version 1754 or higher.=0D
=0D
- Credits=0D
=0D
The vulnerabilities were discovered by Michael Mueller from Integralis=0D
michael#dot#mueller#at#integralis#dot#com=0D
=0D
- Timeline=0D
04.01.2010 - Vulnerabilities discovered=0D
04.01.2010 - Vendor contacted with details=0D
05.01.2010 - Initial vendor response with ACK and fix solution=0D
21.01.2010 - Additional vulnerabilities discovered=0D
22.01.2010 - Vendor contacted with details=0D
Up to date: No vendor response=0D
25.03.2010 - Public release=0D
=0D