Multiple Vulnerabilities in EASY Enterprise DMS
EASY Enterprise is a widespread and popular document management system.
Release version 6.0f (Nov 24 2009 #1752) has been found vulnerable to multiple attacks, which affect the
integrity and confidentiality of stored content, as well as a compromise of multitenancy.
File: dlc_printLB.jsp
Parameter: dlcFileId
Stored XSS
In file upload function, parameter filename. No further example will be provided.
Unauthorized access to files
By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the
user has no rigths on.
in Addition by guessing values for parameters dlcDocumentId and dlcFileId an unprivileged user is able to
download any file stored in the application.
Unauthorized manipulation of data
By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate
stored data (document owner, upload user, document state, approval flag)
Solution
Contact the vendor for a patch or upgrade to version 1754 or higher.
Credits
The vulnerabilities were discovered by Michael Mueller from Integralis
michael#dot#mueller#at#integralis#dot#com