-----BEGIN PGP SIGNED MESSAGE-----
Core Security Technologies - CoreLabs
Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System
1. *Advisory Information*
Title: Multiple XSS and Injection Vulnerabilities in TestLink Test
Management and Execution System
Advisory Id: CORE-2009-1013
Date published: 2009-12-09
Date of last update: 2009-12-09
Vendors contacted: TestLink Community
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cross site scripting [CWE-79], SQL injection [CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37258
CVE Name: CVE-2009-4237, CVE-2009-4238
3. *Vulnerability Description*
Multiple injection (both XSS  and SQL) vulnerabilities have been
discovered in Testlink , a widely used test-case management
application written in PHP . One of the XSS vulnerabilities,
discovered in its login screen, can be exploited without an
4. *Vulnerable packages*
. TestLink 1.8.0
. TestLink 1.8.1
. TestLink 1.8.2
. TestLink 1.8.3
. TestLink 1.8.4
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. TestLink 1.8.5
6. *Solutions and Workarounds*
Upgrade to a non-vulnerable version, such as 1.8.5. TestLink features
the option to upgrade a current installation in its install scripts.
These vulnerabilities were discovered and researched by Pablo
Annetta, from Core Security Technologies, during Core Bugweek 2009 as
a member of the "Los Herederos de Don Pablo (HDP)" team.
8. *Technical Description / Proof of Concept Code*
Most of these vulnerabilities are present in the Testlink code
because the logic for the sanitization of user input is rudimentary.
Each script sanitizes its own input, instead of abstracting this task
to another layer of logic. Often only slashes are stripped, but html
entities are almost never escaped.
The only vulnerability in this report that can be exploited without
an authenticated session is a XSS vulnerability in Testlink's login
page 'login.php'. This script gets a parameter named 'req', which is
used by the application to set the next request to be made. All
parameters are initialized in the 'init_args' function which doesn't
sanitize its arguments appropriately as seen below.
$args = new stdClass();
$_REQUEST = strings_stripSlashes($_REQUEST);
$args->note = isset($_REQUEST['note']) ? $_REQUEST['note'] : null;
$args->login = isset($_REQUEST['tl_login']) ?
trim($_REQUEST['tl_login']) : null;
$args->pwd = isset($_REQUEST['tl_password']) ?
$_REQUEST['tl_password'] : null;
$args->reqURI = isset($_REQUEST['req']) ? $_REQUEST['req'] : null;
$args->preqURI = (isset($_REQUEST['reqURI']) &&
strlen($_REQUEST['reqURI'])) ? $_REQUEST['reqURI'] : null;
This vulnerability can be verified by issuing the following request
to a Testlink installation on localhost: