MantisBT - TestLink
View Issue Details
0008931TestLinkTest Spec. - inline imagespublic2020-06-05 05:412020-06-15 13:04
xiaochan 
fman 
normalminoralways
resolvedfixed 
1.9.20 
1.9.20_fixed 
MySQL
TBD
0008931: TestLink 1.9.20 has csrf, and users can be disabled without the knowledge of the admin administrator
TestLink has a CSRF vulnerability,which can be exploited by ordinary users to allow admin to perform operations without konwledge.
1. Ordinary users such as test log in to the Testlink system and enter the use case editing interface
2. In the Use Case Add Step interface, select Insert Picture
3. Here the url input can only be performed by admi, such as disabling the user
http://127.0.0.1/testlink/lib/usermanagement/usersView.php?operation=disable&user=3 [^]
Click save
4. admin login testlink to browse the use case
5. It is found that the account with user user 3 has been disabled, in which user can traverse
Ordinary users can use csrf to let admin perform operations without knowledge. In addition to disabling users, they also include other get requests operations.
This csrf can complete the attack without using third-party websites and using Testlink's own image upload function.
No tags attached.
png TestLink _has_csrf.png (214,780) 2020-06-05 05:41
http://mantis.testlink.org/file_download.php?file_id=5352&type=bug
png
Issue History
2020-06-05 05:41xiaochanNew Issue
2020-06-05 05:41xiaochanFile Added: TestLink _has_csrf.png
2020-06-05 07:47fmanNote Added: 0029730
2020-06-05 09:52xiaochanNote Added: 0029731
2020-06-05 10:06fmanNote Added: 0029732
2020-06-05 10:07fmanNote Edited: 0029732bug_revision_view_page.php?bugnote_id=29732#r6072
2020-06-05 10:07fmanAssigned To => fman
2020-06-05 10:07fmanStatusnew => feedback
2020-06-05 13:00fmanNote Added: 0029733
2020-06-07 09:55xiaochanNote Added: 0029738
2020-06-07 09:55xiaochanStatusfeedback => assigned
2020-06-07 16:59fmanNote Added: 0029739
2020-06-07 18:21fmanNote Added: 0029743
2020-06-07 18:21fmanStatusassigned => feedback
2020-06-08 06:27xiaochanNote Added: 0029746
2020-06-08 06:27xiaochanStatusfeedback => assigned
2020-06-08 06:51fmanNote Added: 0029747
2020-06-08 07:09xiaochanNote Added: 0029749
2020-06-08 18:25fmanNote Added: 0029750
2020-06-08 18:26fmanQA Team - Task Workflow Status => TBD
2020-06-08 18:26fmanStatusassigned => resolved
2020-06-08 18:26fmanFixed in Version => 1.9.20_fixed
2020-06-08 18:26fmanResolutionopen => fixed
2020-06-13 12:45xiaochanNote Added: 0029761
2020-06-13 14:09fmanNote Added: 0029762
2020-06-15 13:04xiaochanNote Added: 0029765

Notes
(0029730)
fman   
2020-06-05 07:47   
>> In addition to disabling users, they also include other get requests operations
what are all these operations?
without a detail is impossible to fix
(0029731)
xiaochan   
2020-06-05 09:52   
There is also a link to delete the platform?
http://127.0.0.1/testlink/lib/platforms/platformsEdit.php?tproject_id=1&doAction=do_delete&id=2 [^]
(0029732)
fman   
2020-06-05 10:06   
(edited on: 2020-06-05 10:07)
Tested using github branch testlink_1_9_20_fixed

1. login as admin user
2. create a new user aa with default role senior_tester
3. logout
4. login as aa
5. create test case
6. create one step, using the richweb editor add image with URL
http://testlink-dev/lib/usermanagement/usersView.php?operation=disable&user=3 [^]
7. save
8. logout
9. login as admin user
10. check users
11. nothing has changed on user with ID=3

(0029733)
fman   
2020-06-05 13:00   
Please provide the rights that are present in the role of the user used for the tests.
Without this information, no other investigation can be done.
(0029738)
xiaochan   
2020-06-07 09:55   
Tested using github branch testlink_1_9_20_fixed
1. login as admin user
2. Create two new users test1 and test2 with default role senior_tester
3. logout
4. login as test1
5. create test case
6. create one step, using the richweb editor add image with URL
http://testlink-dev/lib/usermanagement/usersView.php?operation=disable&user=3 [^]
Alternative Text input box input 111
7. save
8. logout
9. Log in as the admin user to view the use case created by the test user in step five
10. check users
11. User test2 with id 3 changes from active to inactive
(0029739)
fman   
2020-06-07 16:59   
Thanks now is clear.
Please do not use terms that create confusion -> use case does not exist in TestLink the right term is Test Case.
(0029743)
fman   
2020-06-07 18:21   
for disable user
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/5cd7d8eaaf6c5a04e8ffc203b2e91c43b815b1f9 [^]

please install, retest and provide feedback
(0029746)
xiaochan   
2020-06-08 06:27   
I checked your repair plan, you fix it by judging the refer in the request header. I think this repair method can be bypassed. The specific bypass method is: construct the access path of the third-party website as: http://host/lib/usermanagement/usersView.php, [^] load an image on the interface, and write the src of the image Disable the user's request url link so that the refer that constructs the request will include "/lib/usermanagement/usersView.php"
(0029747)
fman   
2020-06-08 06:51   
Hi
this is part of the risk but is a little bit mitigated, and has to be accepted as the first workaround.
(0029749)
xiaochan   
2020-06-08 07:09   
It is recommended that in addition to judging the referrer of the request header, the request method should be changed from get to post
(0029750)
fman   
2020-06-08 18:25   
Changing from GET to POST means lot of work, and can not be done now
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/c2fe5770c590a0bd0b4ec9b49ce3efa729acff90 [^]
(0029761)
xiaochan   
2020-06-13 12:45   
Hello, can this bug apply for a cve number?
(0029762)
fman   
2020-06-13 14:09   
1. have you tested this fix and is working?
2. feel free to apply for the CVE
(0029765)
xiaochan   
2020-06-15 13:04   
This time your commit are fine.