MantisBT - TestLink
View Issue Details
0008808TestLinkSecurity - XSSpublic2019-12-02 16:302019-12-05 17:59
Sudoka 
 
highmajoralways
newopen 
1.9.19.01 (1.9.19 fixes) 
 
N/A
0008808: TestLink v1.9.19.1 - Bypass security fix for XSS at index.php
In the commit https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/0e3e907990f40483c0cd850744bc995011826799, [^] the function strpos is used to check the parameter reqURI whether it contains the word "javascript".

However, strpos is case-sensitive, which means we can bypass it by using "jAvascript", "javaScript",...

For example, accessing the URL /index.php?reqURI=jAvascript:alert('XSS') will still trigger the XSS payload.

I suggest using the function stripos instead.
No tags attached.
Issue History
2019-12-02 16:30SudokaNew Issue
2019-12-05 17:59fmanNote Added: 0029319

Notes
(0029319)
fman   
2019-12-05 17:59   
Hi, thanks a lot