[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Serena Dimensions CM has insufficient default privileges
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Serena Dimensions CM has insufficient default privileges
- From: roland.gruber.extern@xxxxxxxxxxxxxxxxx
- Date: Fri, 12 Jun 2009 04:56:33 -0600
Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: unauthorized read access to items
Problem type: local
Problem description:
====================
This vulnerability allows users with any role on a Dimensions product to have
read access to all of its containing items.
Dimensions allows you to restrict access to items by relating them on
designparts where explicit roles are assigned. E.g. users foo and bar have the
role DEVELOPER on the top level designpart which allows them to get items. Now
there is a subdesignpart RESTRICTED which has explicit role assignments of all
existing roles for foo. This prevents bar to get any files of this designpart
because he has no more role on this designpart. Unfortunately, this is only
correct for item fetches and browsing.
The user bar may simply run a recursive get command (e.g. on the toplevel
designpart) which is executed as DOWNLOAD command in the Desktop Client. This
command does not prevent the access to items on RESTRICTED because the
privileges for DOWNLOAD are less restrictive. Now, bar may read the items on
his local machine.
Resolution:
===========
Remove the rule "User holds any role on the product owning the object" for the
privilege "Download Files from Project". This needs to be done for all
registered Dimensions products.
The vendor plans a solution for release 2009 R2 (11/2009).