Serena TeamTrack contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when accessing dynamically generated HTML content from the TeamTrack server by requesting it through the LoginPage directive. As the LoginPage directive does not require a user to be logged on, while still processing the data keywords found in the HTML file, an attacker can access: CONTACT information (from the Contacts table), ISSUE information (from the Issues table), and/or RESOLUTION information (from the Resolution table). This results in a loss of confidentiality.

Upgrade to version 6.2 or higher, as it has been reported to fix this vulnerability. Users may also install the patch made available by Serena.

• Bugtraq ID: 10770
• Secunia Advisory ID: 12122
• CVE ID: 2004-2563 (see also: NVD)
• Related OSVDB ID: 8182 8183 8184
• Other Advisory URL: http://www.securiteam.com/windowsntfocus/5SP0O0ADGG.html
• Vendor URL: http://www.serena.com/

• Noam Rathaus - noamrbeyondsecurity.com - Beyond Security