TestLink 1.9.3 multiple vulnerabilities

There are multiple security vulnerabilities in TestLink 1.9.3 which may allow an unauthenticated user to execute arbitrary commands as the web server user.

Software

Software Link: http://www.teamst.org/

Vulnerable Versions: 1.9.3

Vendor Notification: Unnotified

# 0x00 # SQL Injection # Authenticated - Any Role

There are multiple SQL injection and blind SQL injection vulnerabilities reported in previous versions by other researchers. Version 1.9.3 is still vulnerable.

Here's some samples:

# 0x01 # Unrestricted File Upload # Authenticated - Any Role

Arbitrary files can be uploaded by a user with any role. User registration is enabled by default.

File names are randomized with 'md5(uniqid(rand(), true))' and stored in '/testlink-1.9.3/upload_area/nodes_hierarchy/(id)/([a-f0-9]{32}).ext'

By combining the arbitrary file upload and SQL injection it is possible to execute the uploaded PHP file.

The following proof of concept is available:

An exploit is available here: https://github.com/rapid7/metasploit-framework/pull/689

# 0x02 # Cross-Site Request Forgery (CSRF) # Authenticated - Admin Role

The following proof of concept is available:

# 0x03 # Session Identifier Disclosure # Unauthenticated

The audit logs disclose PHPSESSID values.

The following proof of concept is available:

# 0x04 # Information Disclosure # Unauthenticated

The database version, PHP version, installed modules and writable directories are disclosed to an unauthenticated user.

The following proof of concept is available:

Reference

# OWASP: SQL Injection

# OWASP: Unrestricted File Upload

# OWASP: Information Leakage

# OWASP: Cross-Site Request Forgery (CSRF)

Appendix

[TXT] TestLink 1.9.3 multiple vulnerabilities