czwartek, 5 stycznia 2017

Few bugs in TestLink

During one of my latest project, I was asked to analyze a security of one web server.

After looking for the webapp for a a while I found that there are also some other webapps available on the server. One of them was the TestLink application.

As you can see, "last" version was released in 09.2016. Version I found during the pentest was older (2010 or 2011 afaik). Anyway I decide to download it (1.9.15), and find few bugs that I will use in the next steps during my project.

(TL;DR - because I found admin's credentials in "other way" on that server, below you will find only few notes about the bug. We will talk about SQL injection vulnerability for admin-user logged-in.

I don't know if you will find it working also for lower-level users, anyway - let me know in comments/email if so ;))

Let's get to work.

I created a small script in python, to analyze the whole source code directory of TestLink. Below screens from starting the script:

After a while I was able to identify potential SQL injection bug. I decided to put it in txt-file and run with sqlmap:

And here you will find the full request to the webapp, that's how you should be able to verify it for yourself:

I found that the request will go through the function get_by_name():

Here you can also check it:

When I was looking for the params here (and for the idea "what's going on" in the code) I found function calles prepare_string() that seems to be vulnerable (no filtering for prepared strings):

Check here:

After I found this, I was wondering how many prepared_string we will find in the code:

Looks cool enough to start searching for more bugs... :)

Small verification: prepare_string(vulnParam) - XSS:

Not filtered code, injected:

Good. Let's check our SQL bug now:

It looks like this is it. :)

I think you can find few more bugs there but I will leave it for you as an exercise.

Happy bug hunting in a NewYear ;)


Brak komentarzy:

Prześlij komentarz