MantisBT - TestLink | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0008808 | TestLink | Security - XSS | public | 2019-12-02 16:30 | 2019-12-05 17:59 |
| Reporter | Sudoka | ||||
| Assigned To | |||||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | OS | OS Version | |||
| Product Version | 1.9.19.01 (1.9.19 fixes) | ||||
| Fixed in Version | |||||
| Act. Work | |||||
| Issue Report Quality | |||||
| Database (MySQL,Postgres,etc) | N/A | ||||
| Browser | |||||
| PHP Version | |||||
| TestCaseID | |||||
| QA Team - Task Workflow Status | |||||
| Summary | 0008808: TestLink v1.9.19.1 - Bypass security fix for XSS at index.php | ||||
| Description | In the commit https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/0e3e907990f40483c0cd850744bc995011826799, [^] the function strpos is used to check the parameter reqURI whether it contains the word "javascript". However, strpos is case-sensitive, which means we can bypass it by using "jAvascript", "javaScript",... For example, accessing the URL /index.php?reqURI=jAvascript:alert('XSS') will still trigger the XSS payload. I suggest using the function stripos instead. | ||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
| 2019-12-02 16:30 | Sudoka | New Issue | |||
| 2019-12-05 17:59 | fman | Note Added: 0029319 | |||
| Notes | |||||
|
|
|||||
|
|
||||