lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 12 Jun 2009 04:56:33 -0600
From: roland.gruber.extern@...creditgroup.eu
To: bugtraq@...urityfocus.com
Subject: Serena Dimensions CM has insufficient default privileges

Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: unauthorized read access to items
Problem type: local


Problem description:
====================

This vulnerability allows users with any role on a Dimensions product to have read access to all of its containing items.

Dimensions allows you to restrict access to items by relating them on designparts where explicit roles are assigned. E.g. users foo and bar have the role DEVELOPER on the top level designpart which allows them to get items. Now there is a subdesignpart RESTRICTED which has explicit role assignments of all existing roles for foo. This prevents bar to get any files of this designpart because he has no more role on this designpart. Unfortunately, this is only correct for item fetches and browsing.
The user bar may simply run a recursive get command (e.g. on the toplevel designpart) which is executed as DOWNLOAD command in the Desktop Client. This command does not prevent the access to items on RESTRICTED because the privileges for DOWNLOAD are less restrictive. Now, bar may read the items on his local machine.


Resolution:
===========

Remove the rule "User holds any role on the product owning the object" for the privilege "Download Files from Project". This needs to be done for all registered Dimensions products.
The vendor plans a solution for release 2009 R2 (11/2009).

Powered by blists - more mailing lists