|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs
Advisory
http://www.coresecurity.com/corelabs/
Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System
1. *Advisory Information*
Title: Multiple XSS and Injection Vulnerabilities in TestLink Test
Management and Execution System
Advisory Id: CORE-2009-1013
Advisory URL:
http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities
Date published: 2009-12-09
Date of last update: 2009-12-09
Vendors contacted: TestLink Community
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cross site scripting [CWE-79], SQL injection [CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37258
CVE Name: CVE-2009-4237, CVE-2009-4238
3. *Vulnerability Description*
Multiple injection (both XSS [1] and SQL) vulnerabilities have been
discovered in Testlink [2], a widely used test-case management
application written in PHP [3]. One of the XSS vulnerabilities,
discovered in its login screen, can be exploited without an
authenticated session.
4. *Vulnerable packages*
. TestLink 1.8.0
. TestLink 1.8.1
. TestLink 1.8.2
. TestLink 1.8.3
. TestLink 1.8.4
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. TestLink 1.8.5
6. *Solutions and Workarounds*
Upgrade to a non-vulnerable version, such as 1.8.5. TestLink features
the option to upgrade a current installation in its install scripts.
7. *Credits*
These vulnerabilities were discovered and researched by Pablo
Annetta, from Core Security Technologies, during Core Bugweek 2009 as
a member of the "Los Herederos de Don Pablo (HDP)" team.
8. *Technical Description / Proof of Concept Code*
Most of these vulnerabilities are present in the Testlink code
because the logic for the sanitization of user input is rudimentary.
Each script sanitizes its own input, instead of abstracting this task
to another layer of logic. Often only slashes are stripped, but html
entities are almost never escaped.
The only vulnerability in this report that can be exploited without
an authenticated session is a XSS vulnerability in Testlink's login
page 'login.php'. This script gets a parameter named 'req', which is
used by the application to set the next request to be made. All
parameters are initialized in the 'init_args' function which doesn't
sanitize its arguments appropriately as seen below.
/-----
function init_args()
{
$args = new stdClass();
$_REQUEST = strings_stripSlashes($_REQUEST);
$args->note = isset($_REQUEST['note']) ? $_REQUEST['note'] : null;
$args->login = isset($_REQUEST['tl_login']) ?
trim($_REQUEST['tl_login']) : null;
$args->pwd = isset($_REQUEST['tl_password']) ?
$_REQUEST['tl_password'] : null;
$args->reqURI = isset($_REQUEST['req']) ? $_REQUEST['req'] : null;
$args->preqURI = (isset($_REQUEST['reqURI']) &&
strlen($_REQUEST['reqURI'])) ? $_REQUEST['reqURI'] : null;
return $args;
}
- -----/
This vulnerability can be verified by issuing the following request
to a Testlink installation on localhost:
/-----