Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003469TestLinkDocumentation (Install, User Manual, help)public2010-05-18 11:252011-07-02 13:49
Reportertwelve 
Assigned ToJulian 
PriorityhighSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.0 (planned) 
Fixed in Version1.9.3 (2011 Q3 - bug fixing) 
Summary0003469: Documentation recommends insecure configuration for FCK editor
DescriptionThere's a document on the Testlink website "HowTo configure: upload images using FCK editor" (http://www.teamst.org/index.php/news-mainmenu-2/13-development/43-howto-configure-upload-images-using-fck-editor [^]) that recommends to set "$Config['Enabled'] = true ;" to enable the upload feature of the FCK editor.
After doing this, *everyone* can upload files to the Testlink server, regardless if he is logged in or even has an account at all. All he needs to know is the URL of the upload function of the FCK editor, but since the files are always in the same place in a Testlink installation, its not difficult to find out.

All you need to do to exploit this vulnerability is to find a Testlink installation and hope that the administrator enabled the upload feature of FCK editor. Then you have a public file share server.
Additional InformationI recommend to
- either replace "$Config['Enabled'] = true ;" with "$Config['Enabled'] = checkUpload();" in the documentation and then add a function "checkUpload()" that checks if the user actually has permission to upload files to Testlink
- or to add a note to the document stating that this howto must NOT be followed on publicly available servers.

A checkUpload() function could look something like this:

function checkUpload()
{
session_start();
return (isset($_SESSION['currentUser']));
}
TagsNo tags attached.
Database (MySQL,Postgres,etc)
Browser
PHP Version
TestCaseID
QA Team - Task Workflow Status
Attached Filespdf file icon Configuration_of_FCKEditor_and_CKFinder.pdf [^] (201,776 bytes) 2011-04-14 09:11

- Relationships

-  Notes
(0010060)
fman (administrator)
2010-05-18 18:48

Reminder sent to: asimon

do you think you will be able to give a look on far future ?
(0010064)
asimon (developer)
2010-05-19 07:20

The document mentioned here is very old and related to TL 1.7. So users should be careful when applying these changes to current version of TestLink.
For the moment it should be enough to add a very big notice to said document as a warning for users, saying that this configuration is not recommended and very insecure.

When I find the time, I (or we) will look into it sometime in the future. I can't add the notice to this document though, that has to be done by someone with editing rights on the CMS :)
(0010067)
Julian (manager)
2010-05-19 09:59
edited on: 2010-05-19 10:02

please also consider http://www.teamst.org/index.php/doc [^] -> Enhanced configuration of HTML editor by Julian (pdf format)

right now link is broken.


we should rework this document and remove the old article on web

(0010068)
twelve (reporter)
2010-05-19 11:06

And one more: docs/config_fckeditor_upload.txt in the Testlink installation which is available from the help menu also suggests to set $Config['Enabled'] = true
(0014607)
Julian (manager)
2011-04-14 09:11
edited on: 2011-04-14 09:16

branch 1.9:
http://gitorious.org/testlink-ga/testlink-code/commit/30f392b824a08bc8f7190a423c97f95e5068e609 [^]

master:
http://gitorious.org/testlink-ga/testlink-code/commit/e89690320f15d6106cc271b179640aa84f7278bd [^]

sadly diff for pdf is shown... i will attach new document here. let me know if this works for everyone.

(0015467)
fman (administrator)
2011-07-02 13:49

1.9.3 released

- Issue History
Date Modified Username Field Change
2010-05-18 11:25 twelve New Issue
2010-05-18 18:47 fman Assigned To => asimon
2010-05-18 18:47 fman Status new => assigned
2010-05-18 18:48 fman Note Added: 0010060
2010-05-19 07:20 asimon Note Added: 0010064
2010-05-19 09:59 Julian Note Added: 0010067
2010-05-19 10:02 Julian Note Edited: 0010067 View Revisions
2010-05-19 11:06 twelve Note Added: 0010068
2011-02-14 08:44 asimon Assigned To asimon =>
2011-02-14 08:44 asimon Status assigned => acknowledged
2011-02-14 08:44 asimon Product Version 1.9 Beta 3 => 2.0 (planned)
2011-04-14 09:11 Julian Note Added: 0014607
2011-04-14 09:11 Julian Status acknowledged => resolved
2011-04-14 09:11 Julian Fixed in Version => 1.9.3 (2011 Q3 - bug fixing)
2011-04-14 09:11 Julian Resolution open => fixed
2011-04-14 09:11 Julian Assigned To => Julian
2011-04-14 09:11 Julian File Added: Configuration_of_FCKEditor_and_CKFinder.pdf
2011-04-14 09:16 Julian Note Edited: 0014607 View Revisions
2011-07-02 13:49 fman Note Added: 0015467
2011-07-02 13:49 fman Status resolved => closed



Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker