We stick to basics thereby reiterating the hidden elements of security from this complex systems. We respect the researchers and hackers who work effortlessly to support community at par. We believe in hunting core to deface the reality of this machine world. The Niche of Security lockdown.
Optimized Derivative of Complex Security
Advisory: EMC eRoom 7.2.3 Insufficient Authentication
Version Affected: Documentum eRoom 7.2.3 and less
Description:
The eroom version 7.2.3 and prior versions are susceptible to insufficient authentication in login page. The attacker can use the trick of forced browsing to traverse the contents of /eRoomData directory. The authentication credentials are not required. The directory structure can abe accessed directly.
Proof of Concept:
URL to eRoom : http://www.url_to_eroom/eRoomData
Disclosure Timeline:
Release Date. 14 October,2008
Vendor Response:
Vulnerability reported to EMC. The newer version 7.3.2 is already out.
Note:Organizations using 7.2.3 must upgrade to 7.3.2 versions of eRoom.
EMC Response : After a complete engineering investigation, this issue was found to be resolved in newer versions of Documentum eRoom. Specifically, versions of eRoom prior to 7.2.3 are affected; all newer versions do not appear to exhibit this behavior. Version 7.2.3 was released in 2005, and is now end-of-life as all versions prior to 7.3.2 went end-of-life at the end of September. As such, customers should upgrade to the latest version 7.3.2 or newer.
Credit:
Aditya K Sood
Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Version Affected: Documentum eRoom 7.2.3 and less
Description:
The eroom version 7.2.3 and prior versions are susceptible to insufficient authentication in login page. The attacker can use the trick of forced browsing to traverse the contents of /eRoomData directory. The authentication credentials are not required. The directory structure can abe accessed directly.
Proof of Concept:
URL to eRoom : http://www.url_to_eroom/eRoomData
Disclosure Timeline:
Release Date. 14 October,2008
Vendor Response:
Vulnerability reported to EMC. The newer version 7.3.2 is already out.
Note:Organizations using 7.2.3 must upgrade to 7.3.2 versions of eRoom.
EMC Response : After a complete engineering investigation, this issue was found to be resolved in newer versions of Documentum eRoom. Specifically, versions of eRoom prior to 7.2.3 are affected; all newer versions do not appear to exhibit this behavior. Version 7.2.3 was released in 2005, and is now end-of-life as all versions prior to 7.3.2 went end-of-life at the end of September. As such, customers should upgrade to the latest version 7.3.2 or newer.
Credit:
Aditya K Sood
Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.