We are currently using CA PPM 14.x and are looking to implement the Mobile Time Manager and I am being asked such things as what port does the mobile app use and can it be changed from the existing port. Some security type questions have been raised. The questions are below: 1. Enumerations:
Even though the app is not authenticating against AD credentials, it may be possible to enumerate valid logins (discover usernames). Does this problem exist?
2. SQL injection at login:
If the form login (untrusted input), is vulnerable to SQL injection (typically a cobbled vs prepared SQL statement and/or poor or unpatched libraries), we run the risk of exposing the underlying username, pw hash columns of the database. If the tables can be dumped, the passwords can be recovered by a rainbow table attack. While the passwords are not our AD passwords, some users may set them the same as AD and it could result in stolen AD creds. Is this possible?
Does anyone know where I can find the technical information for the CA PPM Mobile Time Manager?
I have checked MTM using PPM 14.4 and 15.3 and none seems to exhibit user enumeration vulnerability. I am not aware of any SQL injection issue in MTM either.
Regarding the port, MTM will connect to the port you indicate in your PPM configuration (e.g.: if you are using HTTPS access to get into PPM and you have configured the port 443, then MTM will connect to the port 443).
This is the documentation available for 14.4 and MTM: CA Clarity Mobile Time Manager App - CA PPM - 14.4 - CA Technologies Documentation
As a friendly reminder, only 14.4 is currently supported (CA PPM Release and Support Lifecycle Dates - CA Technologies), and this release is not receiving any more patches. We strongly encourage you to consider upgrading to our latest releases, such as 15.4, to benefit from the newest features and latest fixes.
Hope this answers your questions.