SQL Injection in TestLink

2016-01-07T00:00:00
ID HTB23288
Type htbridge
Reporter High-Tech Bridge
Modified 2016-01-07T00:00:00

Description

High-Tech Bridge Security Research Lab discovered high-risk SQL injection vulnerability in TestLink Open Source Test Management. The vulnerability can be exploited to alter the present SQL query and gain access to potentially sensitive information or even to completely compromise the vulnerable web application.

The vulnerability is caused by insufficient filtration of "apikey" HTTP GET parameter, passed to "lnl.php" PHP script. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application's database.

A simple exploit code below will display version of used MySQL server:

http://[host]/lnl.php?apikey=1239999999%27%20OR%201=%28IF%28MID%28version%28 %29,1,1%29%20LIKE%205,%201,0%29%29%20--%202