MantisBT - TestLink
View Issue Details
0006651TestLinkSecurity - Generalpublic2014-10-06 23:382014-10-07 22:02
EgiX 
fman 
urgentmajoralways
closedfixed 
1.9.12 (2014 Q3) 
1.9.13 (2015 #1) 
MySQL
READY FOR TESTING
0006651: PHP Object Injection Vulnerability In /lib/execute/execSetResults.php
There's a PHP object injection vulnerability in the /lib/execute/execSetResults.php script: user input passed through the "filter_result_result" request parameter (which is assigned to $args->filter_status) isn't properly sanitized before being used in a call to the unserialize() function.

This can be exploited to inject arbitrary PHP objects into the application scope, and could allow an attacker to delete arbitrary files, conduct Server-Side Request Forgery (SSRF), SQL Injection or Local/Remote File Inclusion attacks.

NOTE: the same script is affected by a path disclosure weakness, which in this case might be useful for the file deletion vector (see poi-delete.php).
Please find attached three PHP scripts to reproduce the file deletion, SQL injection and file inclusion attacks. The scripts are intended to be used from the command line (CLI).
No tags attached.
child of 0006609closed fman Availables hot-fixes for 1.9.12 & How To get full fixed package from gitorious 
zip PoCs.zip (4,300) 2014-10-06 23:38
http://mantis.testlink.org/file_download.php?file_id=3895&type=bug
Issue History
2014-10-06 23:38EgiXNew Issue
2014-10-06 23:38EgiXFile Added: PoCs.zip
2014-10-07 05:03fmanNote Added: 0021864
2014-10-07 20:12fmanNote Added: 0021881
2014-10-07 20:22fmanNote Added: 0021882
2014-10-07 20:25fmanNote Edited: 0021882bug_revision_view_page.php?bugnote_id=21882#r3820
2014-10-07 20:39fmanAssigned To => fman
2014-10-07 20:39fmanStatusnew => assigned
2014-10-07 20:40fmanQA Team - Task Workflow Status => TBD
2014-10-07 21:07fmanNote Added: 0021884
2014-10-07 21:10fmanNote Added: 0021885
2014-10-07 21:17fmanNote Added: 0021886
2014-10-07 21:43EgiXNote Added: 0021888
2014-10-07 21:45fmanRelationship addedchild of 0006609
2014-10-07 21:45fmanView Statusprivate => public
2014-10-07 21:46fmanQA Team - Task Workflow StatusTBD => READY FOR TESTING
2014-10-07 21:46fmanNote Added: 0021889
2014-10-07 21:46fmanStatusassigned => resolved
2014-10-07 21:46fmanFixed in Version => 1.9.13 (2015 #1)
2014-10-07 21:46fmanResolutionopen => fixed
2014-10-07 21:51fmanNote Added: 0021890
2014-10-07 21:52EgiXNote Added: 0021891
2014-10-07 21:52EgiXNote Deleted: 0021891
2014-10-07 21:58EgiXNote Added: 0021892
2014-10-07 22:00fmanNote Deleted: 0021892
2014-10-07 22:01fmanNote Deleted: 0021884
2014-10-07 22:02fmanStatusresolved => closed
2015-09-15 21:09fmanCategorySecurity => Security - XSS
2015-09-15 21:10fmanCategorySecurity - XSS => Security - General

Notes
(0021864)
fman   
2014-10-07 05:03   
Thanks for your help
(0021881)
fman   
2014-10-07 20:12   
user indicates that Option seems to be replace serialize with json encode/decode
(0021882)
fman   
2014-10-07 20:22   
(edited on: 2014-10-07 20:25)
https://vagosec.org/2013/09/wordpress-php-object-injection/ [^]
http://security.stackexchange.com/questions/63179/php-object-injection-prevention-owasp [^]

(0021885)
fman   
2014-10-07 21:10   
>> reveal the full webroot path within debug messages
would you mind to explain better this? it's not clear how the debug messages are produced/generated
(0021886)
fman   
2014-10-07 21:17   
https://www.htbridge.com/vulnerability/information-exposure-through-externally-generated-error-message.html#mitigations [^]
(0021888)
EgiX   
2014-10-07 21:43   
With regards to commit #a519da3 I won't test it, cause I'm pretty confident it solves the vulnerability.

The only thing to check is whether it breaks something, but I don't think so, unless the "active_filters" array is intended to contain objects, and not just simple variable types (like arrays, string, int, float, etc).
(0021889)
fman   
2014-10-07 21:46   
https://gitorious.org/testlink-ga/testlink-code/commit/a519da3a45d80077e4eab957eb793b03652f57dc [^]
(0021890)
fman   
2014-10-07 21:51   
>> So I guess you haven't looked at my Proof of Concept code.
>> However, you can reproduce the issue manually using your browser:
If I kindly asking for an explanation and you do not want to provide it, please just said '... I do not want to help you ...', otherwise please just provide the requested answer.