OpenText Document Sciences full of holes – multiple vulnerabilities found

by Nick Evans | Oct 02, 2017 | Articles

Several flaws have been discovered in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) that could enable hackers to mount SQL injection attacks. Other flaws could allow cross-site scripting attacks.

According to a posting on Seclists, due to lack of prepared statements an application is prone to SQL Injection attacks. According to security researcher Marcin Woloszyn, a potential attacker can “retrieve data from application database by exploiting the issue.”

A second flaw makes it possible to inject Javascript into the application which will be reflected to unaware application users.

“This might allow an attacker to perform actions on behalf of unaware application users. In order to remediate the issue, proper input validation, sanitising and output encoding should be conducted on server side,” said Woloszyn.

There is also a flaw that where an authenticated user is able to read arbitrary system file due to path traversal issue. As well as that, another flaw in the Application XML parser is accepting DOCTYPE in provided XML documents, either directly or indirectly, using URLs.

“This can be exploited in various of ways, eg to read directory listings, read system or application files, cause denial of service or issue requests on behalf of server (SSRF),” he said.

Paul Woods, chief architect at GeoLang, said that in general the way to stop attacks is to follow best practice, which is freely available online via the Open Web Application Security Project – OWASP.

“I suppose the real question is why do software developers not follow best practice when it is so freely available?” he said. “The answer might be poor management, or developers being incentivised to ship features quickly. Security is too often seen as an optional extra and it ends up in the bucket called ‘technical debt’. Building secure software is expensive; total security is impossible anyway.”

Originally posted in SC Magazine: