Threat Research
At the beginning of this year, I discovered and reported a Cross-Site Scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM). This month IBM released a security bulletin that contains the fix for this vulnerability.
In this blog, I want to share the details of this vulnerability.
To reproduce this vulnerability, you can follow the steps below:
Figure 1. Create a new account
Figure 2. Deploy a process template
Figure 3. Fill the "Project Area Name" field with the PoC
Figure 4. Injected code is executed
By analyzing the code of CLM, we find that the root cause of the vulnerability is that the special characters in the data passed to the javascript file "crossproject.min.js" are not checked and escaped correctly. Following is the code snippet:
The user input in the "Project Area Name" field is stored in the variable "t[t.Model.propLabel]" in the above code. The value provided in the PoC is "img src=X onerror=alert(6)". Because the javascript code does not correctly check and escape special characters in the user input, the web page generated by the code contains the malicious code provided by the user. This results in the XSS vulnerability. See Figure 5 below.
Figure 5. Injected code is contained in generated web page
According to our tests, this XSS vulnerability works on Chrome and IE 11 browsers. It is a stored XSS vulnerability, meaning that the injected code is permanently stored on the vulnerable target server. When a victim navigates to the affected web page in a browser, the injected XSS code will then be served as part of the web page. This means that victims will inadvertently end-up executing the malicious code once the web page is viewed in a browser.
The XSS vulnerability is caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script code in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
All users of CLM are encouraged to upgrade to the latest version of the CLM software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature IBM.Collaborative.Lifecycle.Management.XSS.