Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005148TestLinkSecurity - Generalpublic2012-08-17 07:472012-09-01 19:58
Reporterfman 
Assigned Tofman 
PriorityhighSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.3 (2011 Q3 - bug fixing) 
Fixed in Version1.9.4 (2012 Q3 - bug fixing) 
Summary0005148: http://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/ [^]
Descriptionhttp://itsecuritysolutions.org/2012-08-13-TestLink-1.9.3-multiple-vulnerabilities/ [^]
TagsNo tags attached.
Database (MySQL,Postgres,etc)N/A
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Files

- Relationships
related to 0004977closedkinow CSRF - Advisory ID: HTB23088 - Reference: https://www.htbridge.com/advisory/HTB23088 [^
related to 0004906closedfman Several security issues 
related to 0005147closedfman metasploit - TestLink v1.9.3 Arbitrary File Upload Vulnerability 
related to 0005151closedfman [1.9.4 PREVIEW]With the QA Build 20120817, the installation script does not use the correct folder path for logs and upload_area 

-  Notes
(0017111)
fman (administrator)
2012-08-17 08:52
edited on: 2012-08-17 08:58

# 0x00 # SQL Injection # Authenticated - Any Role - Solved with: 0004906
# 0x01 # Unrestricted File Upload # Authenticated - Any Role - Solved with: 0005147
# 0x02 # Cross-Site Request Forgery (CSRF) # Authenticated - Admin Role - WIP see 0004977

# 0x03 # Session Identifier Disclosure # Unauthenticated
can be solved rendering NOT ACCESSIBLE from web the folder
a. using .htaccess
b. configuring $tlCfg->log_path = '/var/testlink/logs/'; /* unix example */

# 0x04 # Information Disclosure # Unauthenticated - WIP

(0017112)
fman (administrator)
2012-08-17 16:27

# 0x04 # Information Disclosure # Unauthenticated - Solved
sysinfo.php has been moved inside install/util/ dir.
install directory has to be REMOVED or RENAMED after installation.
(0017279)
fman (administrator)
2012-09-01 19:58

1.9.4 released

- Issue History
Date Modified Username Field Change
2012-08-17 07:47 fman New Issue
2012-08-17 07:47 fman Status new => assigned
2012-08-17 07:47 fman Assigned To => fman
2012-08-17 08:52 fman Note Added: 0017111
2012-08-17 08:52 fman Relationship added related to 0005147
2012-08-17 08:53 fman Note Edited: 0017111 View Revisions
2012-08-17 08:53 fman Note Edited: 0017111 View Revisions
2012-08-17 08:54 fman Relationship added related to 0004977
2012-08-17 08:54 fman Note Edited: 0017111 View Revisions
2012-08-17 08:56 fman Note Edited: 0017111 View Revisions
2012-08-17 08:57 fman Note Edited: 0017111 View Revisions
2012-08-17 08:57 fman Note Edited: 0017111 View Revisions
2012-08-17 08:58 fman Note Edited: 0017111 View Revisions
2012-08-17 09:03 fman Relationship added related to 0004906
2012-08-17 16:27 fman Note Added: 0017112
2012-08-17 17:45 fman Task Workflow Status TBD => READY FOR TESTING
2012-08-17 17:45 fman Status assigned => resolved
2012-08-17 17:45 fman Fixed in Version => 1.9.4 (2012 Q3 - bug fixing)
2012-08-17 17:45 fman Resolution open => fixed
2012-08-18 15:13 fman Relationship added related to 0005151
2012-09-01 19:58 fman Note Added: 0017279
2012-09-01 19:58 fman Status resolved => closed
2015-09-15 21:09 fman Category Security => Security - XSS
2015-09-15 21:10 fman Category Security - XSS => Security - General



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker