testlink.org
| Anonymous | Login | Signup for a new account | 2019-12-13 05:22 UTC |  |
| Main | My View | View Issues | Change Log | My Account |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0008301 | TestLink | Security - SQL Injection | public | 2018-06-18 13:00 | 2018-10-06 12:17 | ||||
| Reporter | Maksymilian Arciemowicz | ||||||||
| Assigned To | fman | ||||||||
| Priority | urgent | Severity | block | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 1.9.16 (2016 Q4) | ||||||||
| Fixed in Version | 1.9.18 (2018 Q3) | ||||||||
| Summary | 0008301: SQL Injection gettestcasesummary.php | ||||||||
| Description | SQL Injection here PoC http://localhost/lib/ajax/gettestcasesummary.php?tcase_id=1%27 [^] | ||||||||
| Additional Information | ============================================================================== DB Access Error - debug_print_backtrace() OUTPUT START ATTENTION: Enabling more debug info will produce path disclosure weakness (CWE-200) Having this additional Information could be useful for reporting issue to development TEAM. ============================================================================== #0 database->exec_query(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:563] #1 database->fetchFirstRow(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:545] 0000002 database->fetchFirstRowSingleColumn(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' , version) called at [/opt/bitnami/testlink/lib/functions/testcase.class.php:1977] 0000003 testcase->get_last_version_info(1') called at [/opt/bitnami/testlink/lib/ajax/gettestcasesummary.php:35] | ||||||||
| Tags | No tags attached. | ||||||||
| Database (MySQL,Postgres,etc) | MySQL | ||||||||
| Browser | |||||||||
| PHP Version | |||||||||
| TestCaseID | |||||||||
| QA Team - Task Workflow Status | READY FOR TESTING | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0027600) fman (administrator) 2018-06-18 17:42 |
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3 [^] |
|
(0027601) fman (administrator) 2018-06-18 17:42 |
thanks. would you mind to test fix? regards |
|
(0027604) Maksymilian Arciemowicz (reporter) 2018-06-18 18:11 |
thanks.. looks well. |
|
(0027942) fman (administrator) 2018-10-06 12:17 |
1.9.18 released |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2018-06-18 13:00 | Maksymilian Arciemowicz | New Issue | |
| 2018-06-18 17:42 | fman | QA Team - Task Workflow Status | => READY FOR TESTING |
| 2018-06-18 17:42 | fman | Note Added: 0027600 | |
| 2018-06-18 17:42 | fman | Status | new => resolved |
| 2018-06-18 17:42 | fman | Fixed in Version | => 1.9.18 (2018 Q3) |
| 2018-06-18 17:42 | fman | Resolution | open => fixed |
| 2018-06-18 17:42 | fman | Assigned To | => fman |
| 2018-06-18 17:42 | fman | Product Version | => 1.9.16 (2016 Q4) |
| 2018-06-18 17:42 | fman | Note Added: 0027601 | |
| 2018-06-18 18:11 | Maksymilian Arciemowicz | Note Added: 0027604 | |
| 2018-10-06 12:17 | fman | Note Added: 0027942 | |
| 2018-10-06 12:17 | fman | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2019 MantisBT Team |
 |