Re: CVE-2014-5308 - Multiple SQL Injection Vulnerabilities in TestLink

[Brandon Perry <bperry.volatile () gmail com>]

I am unable to exploit this with any user except admin, so I am curious how
you were able to come to the conclusion that any user who could sign up
would be able to exploit these...

"Note:'Any user can create account for the application in
'testlink/firstLogin.php' page hence its possible to exploit aforementioned
SQL injections without prior knowledge of the authentication details.'"

Even capturing the vulnerable requests with burp and cookie swapping with
my newly-created user (whom is guest by default), I was hit with RBAC.

On Wed, Oct 1, 2014 at 11:38 AM, Portcullis Advisories <
advisories () portcullis-security com> wrote:

> Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink
> CVE: CVE-2014-5308
> Vendor: Testlink
> Product: TestLink
> Affected version: 1.9.11
> Fixed version: Fixed in SVN commit number 7a09973
> Reported by: Jerzy Kramarz
>
> Details:
>
> Two SQL injection vulnerabilities have been found and confirmed within the
> software as an authenticated user. A successful attack could allow an
> authenticated attacker to access information such as usernames and password
> hashes that are stored in the database. The following URLs and parameters
> have been confirmed to suffer from Multiple SQL injections:
>
> Vulnerability 1 (Fixed in commit #7a09973 in official repository)
>
> <pre>
>
> POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
> Host: 192.168.56.101
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
> Firefox/30.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
> Cookie: [...]
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 200
>
> CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL
> Injection>&search=Search%2FFilter
>
> </pre>
>
> Vulnerability 2 (Fixed in patches after commit #7a09973 in official
> repository)
>
> <pre>
>
> POST /testlink/lib/events/eventinfo.php HTTP/1.1
> Content-Length: 6
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip,deflate
> Host: 192.168.56.101
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
> Firefox/30.0
> DNT: 1
> Connection: close
> Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
> Pragma: no-cache
> Cache-Control: no-cache
> X-Requested-With: XMLHttpRequest
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1;
> ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}
>
> id=123<SQL Injection>
>
> </pre>
>
> Note:'Any user can create account for the application in
> 'testlink/firstLogin.php' page hence its possible to exploit aforementioned
> SQL injections without prior knowledge of the authentication details.'
>
> Further details at:
>
>
> https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/
>
>
> Copyright:
> Copyright (c) Portcullis Computer Security Limited 2014, All rights
> reserved worldwide. Permission is hereby granted for the electronic
> redistribution of this information. It is not to be edited or altered in
> any way without the express written consent of Portcullis Computer Security
> Limited.
>
> Disclaimer:
> The information herein contained may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There are
> NO warranties, implied or otherwise, with regard to this information or its
> use. Any use of this information is at the user's risk. In no event shall
> the author/distributor (Portcullis Computer Security Limited) be held
> liable for any damages whatsoever arising out of or in connection with the
> use or spread of this information.
>
>
> ###############################################################
> This email originates from the systems of Portcullis
> Computer Security Limited, a Private limited company,
> registered in England in accordance with the Companies
> Act under number 02763799. The registered office
> address of Portcullis Computer Security Limited is:
> Portcullis House, 2 Century Court, Tolpits Lane, Watford,
> United Kingdom, WD18 9RS.
> The information in this email is confidential and may be
> legally privileged. It is intended solely for the addressee.
> Any opinions expressed are those of the individual and
> do not represent the opinion of the organisation. Access
> to this email by persons other than the intended recipient
> is strictly prohibited.
> If you are not the intended recipient, any disclosure,
> copying, distribution or other action taken or omitted to be
> taken in reliance on it, is prohibited and may be unlawful.
> When addressed to our clients any opinions or advice
> contained in this email is subject to the terms and
> conditions expressed in the applicable Portcullis Computer
> Security Limited terms of business.
> ###############################################################
>
>
> #####################################################################################
> This e-mail message has been scanned for Viruses and Content and cleared
> by MailMarshal.
>
> #####################################################################################
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/