Testlink 1.9.20: Unrestricted file upload and SQL injection
Testlink is an open source, web based test management and test execution system written in PHP (a scripting language also known as an Hypertext Preprocessor). During a recent security audit, our AppSec team found an unrestricted file upload and two SQL Injection vulnerabilities. Below we provide an in-depth overview of the three identified flaws and ways they can be exploited.
Unrestricted file upload: Technical Analysis
Teslink offers the possibility to categorize test cases using keywords. These keywords can be exported and imported, and in this operation we found our first vulnerability.
SQL Injection: Technical Analysis
Let’s look at each of the SQL injection in detail. The flow of the first one starts in dragdroptreenodes.php, the injection is done in the unsanitized parameter
The following code snippet shows the entry point to the vulnerability:
The user input
The method definition is in tree.class.php
As you can see in the source code, the
The second SQL injection starts in planUrgency.php the injection is done in the unsanitized parameter
After retrieving the
The definition of the
SQL Injection: Technical Analysis: Exploit
Teslink can be installed to use MySQL or PostgreSQL. If it is using MySQL, an attacker can list sensitive database information. But if it is using PostgreSQL, since it allows stacked queries, it permits any attacker to execute malicious queries on the server’s database.
This is the best scenario in an attacker’s perspective, because he can just execute any SQL query, only adding a
For example, we could make an account with a Guest role to become an Admin.
If we look at the script that populates the roles data in testlink_create_default_data.sql, we can see that the Role with id
Knowing this we can build the following payload to update the
FMS 5.9.5 Hotfix HFIX-314 (315091)