At the beginning of this year, I discovered and reported a Cross-Site Scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM). This month IBM released a security bulletin that contains the fix for this vulnerability.
In this blog, I want to share the details of this vulnerability.
How to Reproduce
To reproduce this vulnerability, you can follow the steps below:
- Sign into CLM with a user account, such as “chbest2”, with the permission "JazzAdmins".
- Then create a new user account “test123” with the permissions "JazzUsers" and "JazzProjectAdmins", and set the Client Access Licenses. See Figure 1 below.
Figure 1. Create a new account
- Sign into CLM using the newly-created user account “test123”.
- Then open the link https://172.22.5.239:9443/ccm/admin#action=com.ibm.team.process.editProjectArea&itemId=new in the same browser. Please note that 172.22.5.239 should be replaced with the CLM server's IP address.
- Then click "Deploy predefined process template" to deploy a process template. See Figure 2 below.
Figure 2. Deploy a process template
- Finally fill the "Project Area Name" field with the PoC "img src=X onerror=alert(6)". See Figure 3 below.
Figure 3. Fill the "Project Area Name" field with the PoC
- Sign into CLM with the aforementioned user account “chbest2”.
- Then open https://172.22.5.239:9443/ccm/quickplanner/cp in the same browser. Please note that 172.22.5.239 should be replaced with the CLM server's IP address. You’ll see a dialog window pop up with the value ‘6’ specified in the PoC because the code injected on the webpage by the user “test123” has been executed.
Figure 4. Injected code is executed
Figure 5. Injected code is contained in generated web page
According to our tests, this XSS vulnerability works on Chrome and IE 11 browsers. It is a stored XSS vulnerability, meaning that the injected code is permanently stored on the vulnerable target server. When a victim navigates to the affected web page in a browser, the injected XSS code will then be served as part of the web page. This means that victims will inadvertently end-up executing the malicious code once the web page is viewed in a browser.
The XSS vulnerability is caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script code in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
All users of CLM are encouraged to upgrade to the latest version of the CLM software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature IBM.Collaborative.Lifecycle.Management.XSS.