Anonymous | Login | Signup for a new account | 2019-02-21 06:43 UTC | ![]() |
Main | My View | View Issues | Change Log | My Account |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0008301 | TestLink | Security - SQL Injection | public | 2018-06-18 13:00 | 2018-10-06 12:17 | ||||
Reporter | Maksymilian Arciemowicz | ||||||||
Assigned To | fman | ||||||||
Priority | urgent | Severity | block | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 1.9.16 (2016 Q4) | ||||||||
Fixed in Version | 1.9.18 (2018 Q3) | ||||||||
Summary | 0008301: SQL Injection gettestcasesummary.php | ||||||||
Description | SQL Injection here PoC http://localhost/lib/ajax/gettestcasesummary.php?tcase_id=1%27 [^] | ||||||||
Additional Information | ============================================================================== DB Access Error - debug_print_backtrace() OUTPUT START ATTENTION: Enabling more debug info will produce path disclosure weakness (CWE-200) Having this additional Information could be useful for reporting issue to development TEAM. ============================================================================== #0 database->exec_query(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:563] #1 database->fetchFirstRow(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' ) called at [/opt/bitnami/testlink/lib/functions/database.class.php:545] 0000002 database->fetchFirstRowSingleColumn(/* Class:testcase - Method: get_last_version_info */ SELECT MAX(version) AS version FROM tcversions TCV JOIN nodes_hierarchy NH_TCV ON NH_TCV.id = TCV.id WHERE NH_TCV.parent_id = 1' , version) called at [/opt/bitnami/testlink/lib/functions/testcase.class.php:1977] 0000003 testcase->get_last_version_info(1') called at [/opt/bitnami/testlink/lib/ajax/gettestcasesummary.php:35] | ||||||||
Tags | No tags attached. | ||||||||
Database (MySQL,Postgres,etc) | MySQL | ||||||||
Browser | |||||||||
PHP Version | |||||||||
TestCaseID | |||||||||
QA Team - Task Workflow Status | READY FOR TESTING | ||||||||
Attached Files | |||||||||
![]() |
|
(0027600) fman (administrator) 2018-06-18 17:42 |
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/2c85dc8f472f4eedba70a24456be5239dc3045a3 [^] |
(0027601) fman (administrator) 2018-06-18 17:42 |
thanks. would you mind to test fix? regards |
(0027604) Maksymilian Arciemowicz (reporter) 2018-06-18 18:11 |
thanks.. looks well. |
(0027942) fman (administrator) 2018-10-06 12:17 |
1.9.18 released |
![]() |
|||
Date Modified | Username | Field | Change |
2018-06-18 13:00 | Maksymilian Arciemowicz | New Issue | |
2018-06-18 17:42 | fman | QA Team - Task Workflow Status | => READY FOR TESTING |
2018-06-18 17:42 | fman | Note Added: 0027600 | |
2018-06-18 17:42 | fman | Status | new => resolved |
2018-06-18 17:42 | fman | Fixed in Version | => 1.9.18 (2018 Q3) |
2018-06-18 17:42 | fman | Resolution | open => fixed |
2018-06-18 17:42 | fman | Assigned To | => fman |
2018-06-18 17:42 | fman | Product Version | => 1.9.16 (2016 Q4) |
2018-06-18 17:42 | fman | Note Added: 0027601 | |
2018-06-18 18:11 | Maksymilian Arciemowicz | Note Added: 0027604 | |
2018-10-06 12:17 | fman | Note Added: 0027942 | |
2018-10-06 12:17 | fman | Status | resolved => closed |
Copyright © 2000 - 2019 MantisBT Team |