During one of my latest project, I was asked to analyze a security of one web server.
After looking for the webapp for a a while I found that there are also some other webapps available on the server. One of them was the TestLink application.
(TL;DR - because I found admin's credentials in "other way" on that server, below you will find only few notes about the bug. We will talk about SQL injection vulnerability for admin-user logged-in.
I don't know if you will find it working also for lower-level users, anyway - let me know in comments/email if so ;))
Let's get to work.
I created a small script in python, to analyze the whole source code directory of TestLink. Below screens from starting the script:
After a while I was able to identify potential SQL injection bug. I decided to put it in txt-file and run with sqlmap:
And here you will find the full request to the webapp, that's how you should be able to verify it for yourself:
I found that the request will go through the function get_by_name():
Here you can also check it:
When I was looking for the params here (and for the idea "what's going on" in the code) I found function calles prepare_string() that seems to be vulnerable (no filtering for prepared strings):
After I found this, I was wondering how many prepared_string we will find in the code:
Looks cool enough to start searching for more bugs... :)
Small verification: prepare_string(vulnParam) - XSS:
Not filtered code, injected:
Good. Let's check our SQL bug now:
It looks like this is it. :)
I think you can find few more bugs there but I will leave it for you as an exercise.
Happy bug hunting in a NewYear ;)