"Serena TeamTrack is a Web-architected, secure and highly configurable enterprise process management solution". We have discovered a security flaw with which a remote attacker can disclosure sensitive information off a TeamTrack server without needing to have a valid username/password combination.
* Serena Software's TeamTrack version 6.1.1
The last we heard from them was on 8 May 2004 stating: Thank you for bringing this issue to our attention. We are currently evaluating the issue and will address it as soon as commercially possible. I am sure that you will agree that while Serena is evaluating this issue and preparing any required fixes, it would be best to keep this information confidential to ensure that Serena's customers are protected.
The vulnerability involves accessing any HTML (dynamically generated) file under the TeamTrack server by requesting it through the LoginPage directive. As the LoginPage directive does not require a user to be logged on, while still processing the data keywords found in the HTML file, an attacker can access sensitive information by accessing key HTML files.
The vulnerability caused by this are:
1) Cross Site Scripting (in the case where Cookies are used as the means of authentication, a Cookie stolen could be used to hijack the existing session, NOTE: a third-party user would be required to open a specially crafted URL being sent to him, for this to happen)
2) User enumeration
3) System Information Disclosure (Product version, Web Server version, Web Server OS, DB Name/Type/Version)
4) Contact information (from the Contacts table)
5) Issue information (from the Issues table)
6) Resolution information (from the Resolution table)
A few months ago Beyond Security built a new module for its Automated Scanning Vulnerability Assessment engine to test web sites and web applications for security vulnerabilities. This module adds the capability to dynamically crawl through a web site and find vulnerabilities in its dynamic pages.
This type of tool was considered to be different from the network VA tools, but we at Beyond Security believe that these two types of tools should be merged into one, and this is what made us incorporate the Web Site Security Audit module to our Automated Scanning engine.
Our Automated Scanning engine equipped with the Web Site Security Audit module did all the tests described in this advisory automatically.
Exploit (for all of the above issues):
if (($#ARGV+1) < 3)
print "Serena_hack.pl option host path
\t1 - Cross Site Scripting issue
\t2 - Enumerate users (First name)
\t3 - System information disclosure
\t4 - Contact name (default is Record ID 1)
\t5 - Name of Issue (default is Record ID 1)
\t6 - Name of Resolution (default is Record ID 1)