We are currently using CA PPM 14.x and are looking to implement the Mobile Time Manager and I am being asked such things as what port does the mobile app use and can it be changed from the existing port. Some security type questions have been raised. The questions are below:
1. Enumerations:
Even though the app is not authenticating against AD credentials, it may be possible to enumerate valid logins (discover usernames). Does this problem exist?
2. SQL injection at login:
If the form login (untrusted input), is vulnerable to SQL injection (typically a cobbled vs prepared SQL statement and/or poor or unpatched libraries), we run the risk of exposing the underlying username, pw hash columns of the database. If the tables can be dumped, the passwords can be recovered by a rainbow table attack. While the passwords are not our AD passwords, some users may set them the same as AD and it could result in stolen AD creds. Is this possible?
Does anyone know where I can find the technical information for the CA PPM Mobile Time Manager?