MantisBT - TestLink
View Issue Details
0008808TestLinkSecurity - XSSpublic2019-12-02 16:302020-01-01 15:26
Sudoka 
fman 
highmajoralways
resolvedfixed 
1.9.19.01 (1.9.19 fixes) 
1.9.20 
N/A
READY FOR TESTING
0008808: TestLink v1.9.19.1 - Bypass security fix for XSS at index.php
In the commit https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/0e3e907990f40483c0cd850744bc995011826799, [^] the function strpos is used to check the parameter reqURI whether it contains the word "javascript".

However, strpos is case-sensitive, which means we can bypass it by using "jAvascript", "javaScript",...

For example, accessing the URL /index.php?reqURI=jAvascript:alert('XSS') will still trigger the XSS payload.

I suggest using the function stripos instead.
No tags attached.
Issue History
2019-12-02 16:30SudokaNew Issue
2019-12-05 17:59fmanNote Added: 0029319
2019-12-31 14:11fmanQA Team - Task Workflow Status => READY FOR TESTING
2019-12-31 14:11fmanStatusnew => resolved
2019-12-31 14:11fmanFixed in Version => 1.9.20
2019-12-31 14:11fmanResolutionopen => fixed
2019-12-31 14:11fmanAssigned To => fman
2020-01-01 04:05SudokaNote Added: 0029373
2020-01-01 15:26fmanNote Added: 0029376

Notes
(0029319)
fman   
2019-12-05 17:59   
Hi, thanks a lot
(0029373)
Sudoka   
2020-01-01 04:05   
Hi,
It's fixed.
Could I get a CVE number for this bug?
Thank you in advance and Happy New Year!
(0029376)
fman   
2020-01-01 15:26   
Ok, go ahead