Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006651TestLinkSecurity - Generalpublic2014-10-06 23:382014-10-07 22:02
ReporterEgiX 
Assigned Tofman 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.12 (2014 Q3) 
Fixed in Version1.9.13 (2015 #1) 
Summary0006651: PHP Object Injection Vulnerability In /lib/execute/execSetResults.php
DescriptionThere's a PHP object injection vulnerability in the /lib/execute/execSetResults.php script: user input passed through the "filter_result_result" request parameter (which is assigned to $args->filter_status) isn't properly sanitized before being used in a call to the unserialize() function.

This can be exploited to inject arbitrary PHP objects into the application scope, and could allow an attacker to delete arbitrary files, conduct Server-Side Request Forgery (SSRF), SQL Injection or Local/Remote File Inclusion attacks.

NOTE: the same script is affected by a path disclosure weakness, which in this case might be useful for the file deletion vector (see poi-delete.php).
Steps To ReproducePlease find attached three PHP scripts to reproduce the file deletion, SQL injection and file inclusion attacks. The scripts are intended to be used from the command line (CLI).
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Fileszip file icon PoCs.zip [^] (4,300 bytes) 2014-10-06 23:38

- Relationships
child of 0006609closedfman Availables hot-fixes for 1.9.12 & How To get full fixed package from gitorious 

-  Notes
(0021864)
fman (administrator)
2014-10-07 05:03

Thanks for your help
(0021881)
fman (administrator)
2014-10-07 20:12

user indicates that Option seems to be replace serialize with json encode/decode
(0021882)
fman (administrator)
2014-10-07 20:22
edited on: 2014-10-07 20:25

https://vagosec.org/2013/09/wordpress-php-object-injection/ [^]
http://security.stackexchange.com/questions/63179/php-object-injection-prevention-owasp [^]

(0021885)
fman (administrator)
2014-10-07 21:10

>> reveal the full webroot path within debug messages
would you mind to explain better this? it's not clear how the debug messages are produced/generated
(0021886)
fman (administrator)
2014-10-07 21:17

https://www.htbridge.com/vulnerability/information-exposure-through-externally-generated-error-message.html#mitigations [^]
(0021888)
EgiX (reporter)
2014-10-07 21:43

With regards to commit #a519da3 I won't test it, cause I'm pretty confident it solves the vulnerability.

The only thing to check is whether it breaks something, but I don't think so, unless the "active_filters" array is intended to contain objects, and not just simple variable types (like arrays, string, int, float, etc).
(0021889)
fman (administrator)
2014-10-07 21:46

https://gitorious.org/testlink-ga/testlink-code/commit/a519da3a45d80077e4eab957eb793b03652f57dc [^]
(0021890)
fman (administrator)
2014-10-07 21:51

>> So I guess you haven't looked at my Proof of Concept code.
>> However, you can reproduce the issue manually using your browser:
If I kindly asking for an explanation and you do not want to provide it, please just said '... I do not want to help you ...', otherwise please just provide the requested answer.

- Issue History
Date Modified Username Field Change
2014-10-06 23:38 EgiX New Issue
2014-10-06 23:38 EgiX File Added: PoCs.zip
2014-10-07 05:03 fman Note Added: 0021864
2014-10-07 20:12 fman Note Added: 0021881
2014-10-07 20:22 fman Note Added: 0021882
2014-10-07 20:25 fman Note Edited: 0021882 View Revisions
2014-10-07 20:39 fman Assigned To => fman
2014-10-07 20:39 fman Status new => assigned
2014-10-07 20:40 fman QA Team - Task Workflow Status => TBD
2014-10-07 21:07 fman Note Added: 0021884
2014-10-07 21:10 fman Note Added: 0021885
2014-10-07 21:17 fman Note Added: 0021886
2014-10-07 21:43 EgiX Note Added: 0021888
2014-10-07 21:45 fman Relationship added child of 0006609
2014-10-07 21:45 fman View Status private => public
2014-10-07 21:46 fman QA Team - Task Workflow Status TBD => READY FOR TESTING
2014-10-07 21:46 fman Note Added: 0021889
2014-10-07 21:46 fman Status assigned => resolved
2014-10-07 21:46 fman Fixed in Version => 1.9.13 (2015 #1)
2014-10-07 21:46 fman Resolution open => fixed
2014-10-07 21:51 fman Note Added: 0021890
2014-10-07 21:52 EgiX Note Added: 0021891
2014-10-07 21:52 EgiX Note Deleted: 0021891
2014-10-07 21:58 EgiX Note Added: 0021892
2014-10-07 22:00 fman Note Deleted: 0021892
2014-10-07 22:01 fman Note Deleted: 0021884
2014-10-07 22:02 fman Status resolved => closed
2015-09-15 21:09 fman Category Security => Security - XSS
2015-09-15 21:10 fman Category Security - XSS => Security - General



Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker