MantisBT - TestLink
View Issue Details
0008718TestLinkSecurity - Generalpublic2019-07-08 09:462019-07-13 11:12
danzone 
 
highmajorrandom
newopen 
Linux Kernel 3.10CentOS7.5.1804
1.9.18 (2018 Q3) 
 
PostgreSQL
n.a.
7.1.18
0008718: Suspicious remote account creation even when user register has been disabled
We are facing a strange issue: in last two weeks we have had two attacks to our public testlink instance: https://production.eng.it/testlink. [^]
We started to receive a lot of email notifications about newly Testlink account created, with typical SQL/command Injection patterns.
So we decided to disable the possibility for end users to register themselves ($tlCfg->user_self_signup = FALSE within custom_config.inc.php file).

On last friday (July 5th) we had the same attack, and we started to receive a lot of email notifications about new accounts created in our Testlink instance, even with user self signup disabled.

Email stopped when we shutdown the Testlink instance.

In both cases anyway actually no new account has been created (double-ckecked from Testlink GUI and directly within the DB), and I also checked whether are there remote API to create accounts or not, but Testlink actually doesn't have a remote API for this.

Moreover: no trace on Testlink and web server log about remote invocation of Testlink account creation functionalities.

Is there something else we have to take into account to prevent this kind of attack?
Not enough information to reproduce it
No tags attached.
png Screen Shot 2019-07-13 at 13.08.33.png (40,085) 2019-07-13 11:12
http://mantis.testlink.org/file_download.php?file_id=5182&type=bug
png
Issue History
2019-07-08 09:46danzoneNew Issue
2019-07-08 10:00danzoneNote Added: 0028990
2019-07-13 11:01fmanNote Added: 0029022
2019-07-13 11:05fmanNote Edited: 0029022bug_revision_view_page.php?bugnote_id=29022#r5893
2019-07-13 11:11fmanNote Edited: 0029022bug_revision_view_page.php?bugnote_id=29022#r5894
2019-07-13 11:12fmanNote Edited: 0029022bug_revision_view_page.php?bugnote_id=29022#r5895
2019-07-13 11:12fmanFile Added: Screen Shot 2019-07-13 at 13.08.33.png

Notes
(0028990)
danzone   
2019-07-08 10:00   
Just in case: there could be the possibility of a bug in the notification mechanism, so it could send a notification email even when the new account isn't actually created?
(0029022)
fman   
2019-07-13 11:01   
(edited on: 2019-07-13 11:12)
unfortunately, if you can not provide an example of how to reproduce the attack is very difficult to develop a remediation.

Can you provide some samples of the mails you have received?

remove the firstLogin.php file as a security measure.

just tested and got: the attached image

the attack is not using this page