IBM Rational Collaborative Lifecycle Management XSS Vulnerability

At the beginning of this year, I discovered and reported a Cross-Site Scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM). This month IBM released a security bulletin that contains the fix for this vulnerability.

In this blog, I want to share the details of this vulnerability.

How to Reproduce

To reproduce this vulnerability, you can follow the steps below:

1. Sign into CLM with a user account, such as “chbest2”, with the permission "JazzAdmins".
2. Then create a new user account “test123” with the permissions "JazzUsers" and "JazzProjectAdmins", and set the Client Access Licenses. See Figure 1 below.

Figure 1. Create a new account

3. Sign into CLM using the newly-created user account “test123”.
4. Then open the link https://172.22.5.239:9443/ccm/admin#action=com.ibm.team.process.editProjectArea&itemId=new in the same browser. Please note that 172.22.5.239 should be replaced with the CLM server's IP address.
5. Then click "Deploy predefined process template" to deploy a process template. See Figure 2 below.

Figure 2. Deploy a process template

6. Finally fill the "Project Area Name" field with the PoC "img src=X onerror=alert(6)". See Figure 3 below.

Figure 3. Fill the "Project Area Name" field with the PoC

7. Sign into CLM with the aforementioned user account “chbest2”.
8. Then open https://172.22.5.239:9443/ccm/quickplanner/cp in the same browser. Please note that 172.22.5.239 should be replaced with the CLM server's IP address. You’ll see a dialog window pop up with the value ‘6’ specified in the PoC because the code injected on the webpage by the user “test123” has been executed.

Figure 4. Injected code is executed

Analysis

By analyzing the code of CLM, we find that the root cause of the vulnerability is that the special characters in the data passed to the javascript file "crossproject.min.js" are not checked and escaped correctly. Following is the code snippet:

The user input in the "Project Area Name" field is stored in the variable "t[t.Model.propLabel]" in the above code. The value provided in the PoC is "img src=X onerror=alert(6)". Because the javascript code does not correctly check and escape special characters in the user input, the web page generated by the code contains the malicious code provided by the user. This results in the XSS vulnerability. See Figure 5 below.

Figure 5. Injected code is contained in generated web page

According to our tests, this XSS vulnerability works on Chrome and IE 11 browsers. It is a stored XSS vulnerability, meaning that the injected code is permanently stored on the vulnerable target server. When a victim navigates to the affected web page in a browser, the injected XSS code will then be served as part of the web page. This means that victims will inadvertently end-up executing the malicious code once the web page is viewed in a browser.

The XSS vulnerability is caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script code in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Solution

All users of CLM are encouraged to upgrade to the latest version of the CLM software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature IBM.Collaborative.Lifecycle.Management.XSS.