testlink.org
| Anonymous | Login | Signup for a new account | 2019-02-18 07:07 UTC |  |
| Main | My View | View Issues | Change Log | My Account |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0006498 | TestLink | Security - General | public | 2014-08-13 17:49 | 2014-09-27 16:43 | ||||
| Reporter | cedric | ||||||||
| Assigned To | fman | ||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | x86_64 | OS | Windows | OS Version | 7 | ||||
| Product Version | 1.9.10 (2014 Q1 - bug fixing) | ||||||||
| Fixed in Version | 1.9.12 (2014 Q3) | ||||||||
| Summary | 0006498: Cross-Site Scripting on /lib/plan/planExport.php (CWE-80) | ||||||||
| Description | There isn't a proper sanitization of the parameter "exportContent". That is used as hidden input on planExport.tpl | ||||||||
| Steps To Reproduce | 1. Login as a valid user. 2. Proof-of-Concept: http://demo.testlink.org/latest/lib/plan/planExport.php?tproject_id=23849&tplan_id=23869&platform_id=0&build_id=361&exportContent=4results%22%3E%3Cbutton%3Exss%3C/button%3E%3Cimg%20src=%22 [^] | ||||||||
| Tags | No tags attached. | ||||||||
| Database (MySQL,Postgres,etc) | MySQL | ||||||||
| Browser | Chrome 28 | ||||||||
| PHP Version | 5.3.3 | ||||||||
| TestCaseID | |||||||||
| QA Team - Task Workflow Status | READY FOR TESTING | ||||||||
| Attached Files | |||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
|
(0021454) fman (administrator) 2014-08-13 20:32 |
Thanks I suggests you to get latest code from gitorious because some work have been done regarding security. Thats' because may be you are reportings things that has been already fixed. |
|
(0021457) fman (administrator) 2014-08-13 21:03 |
https://gitorious.org/testlink-ga/testlink-code/commit/1fd82c67eb25618d593f869dc54f0a0a6731a68c [^] |
|
(0021461) cedric (reporter) 2014-08-14 02:19 |
Yeah, I make some tests on demo.testlink.org and look at the current code in gitorious and my own server running testlink. |
|
(0021462) fman (administrator) 2014-08-14 06:53 |
OK, thanks |
|
(0021732) fman (administrator) 2014-09-27 16:43 |
Release done |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2014-08-13 17:49 | cedric | New Issue | |
| 2014-08-13 20:32 | fman | Note Added: 0021454 | |
| 2014-08-13 20:39 | fman | QA Team - Task Workflow Status | => TBD |
| 2014-08-13 21:03 | fman | QA Team - Task Workflow Status | TBD => READY FOR TESTING |
| 2014-08-13 21:03 | fman | Note Added: 0021457 | |
| 2014-08-13 21:03 | fman | Fixed in Version | => 1.9.12 (2014 Q3) |
| 2014-08-13 21:03 | fman | Description Updated | View Revisions |
| 2014-08-13 21:03 | fman | Status | new => resolved |
| 2014-08-13 21:03 | fman | Resolution | open => fixed |
| 2014-08-13 21:03 | fman | Assigned To | => fman |
| 2014-08-13 21:03 | fman | Relationship added | child of 0006457 |
| 2014-08-14 02:19 | cedric | Note Added: 0021461 | |
| 2014-08-14 06:53 | fman | Note Added: 0021462 | |
| 2014-09-27 16:43 | fman | Note Added: 0021732 | |
| 2014-09-27 16:43 | fman | Status | resolved => closed |
| 2015-09-15 21:09 | fman | Category | Security => Security - XSS |
| 2015-09-15 21:10 | fman | Category | Security - XSS => Security - General |
|
Issue History |
| Copyright © 2000 - 2019 MantisBT Team |
 |