czwartek, 5 stycznia 2017

Few bugs in TestLink

During one of my latest project, I was asked to analyze a security of one web server.


After looking for the webapp for a a while I found that there are also some other webapps available on the server. One of them was the TestLink application.

As you can see, "last" version was released in 09.2016. Version I found during the pentest was older (2010 or 2011 afaik). Anyway I decide to download it (1.9.15), and find few bugs that I will use in the next steps during my project.



(TL;DR - because I found admin's credentials in "other way" on that server, below you will find only few notes about the bug. We will talk about SQL injection vulnerability for admin-user logged-in.

I don't know if you will find it working also for lower-level users, anyway - let me know in comments/email if so ;))

Let's get to work.

I created a small script in python, to analyze the whole source code directory of TestLink. Below screens from starting the script:





After a while I was able to identify potential SQL injection bug. I decided to put it in txt-file and run with sqlmap:




And here you will find the full request to the webapp, that's how you should be able to verify it for yourself:






I found that the request will go through the function get_by_name():


Here you can also check it:


When I was looking for the params here (and for the idea "what's going on" in the code) I found function calles prepare_string() that seems to be vulnerable (no filtering for prepared strings):


Check here:






After I found this, I was wondering how many prepared_string we will find in the code:


Looks cool enough to start searching for more bugs... :)

Small verification: prepare_string(vulnParam) - XSS:






Not filtered code, injected:



Good. Let's check our SQL bug now:





It looks like this is it. :)

I think you can find few more bugs there but I will leave it for you as an exercise.

Happy bug hunting in a NewYear ;)

Cheers



Brak komentarzy:

Prześlij komentarz