Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008718TestLinkSecurity - Generalpublic2019-07-08 09:462019-07-17 18:18
Reporterdanzone 
Assigned Tofman 
PriorityhighSeveritymajorReproducibilityrandom
StatusassignedResolutionreopened 
PlatformLinux Kernel 3.10OSCentOSOS Version7.5.1804
Product Version1.9.18 (2018 Q3) 
Fixed in Version 
Summary0008718: Suspicious remote account creation even when user register has been disabled
DescriptionWe are facing a strange issue: in last two weeks we have had two attacks to our public testlink instance: https://production.eng.it/testlink. [^]
We started to receive a lot of email notifications about newly Testlink account created, with typical SQL/command Injection patterns.
So we decided to disable the possibility for end users to register themselves ($tlCfg->user_self_signup = FALSE within custom_config.inc.php file).

On last friday (July 5th) we had the same attack, and we started to receive a lot of email notifications about new accounts created in our Testlink instance, even with user self signup disabled.

Email stopped when we shutdown the Testlink instance.

In both cases anyway actually no new account has been created (double-ckecked from Testlink GUI and directly within the DB), and I also checked whether are there remote API to create accounts or not, but Testlink actually doesn't have a remote API for this.

Moreover: no trace on Testlink and web server log about remote invocation of Testlink account creation functionalities.

Is there something else we have to take into account to prevent this kind of attack?
Steps To ReproduceNot enough information to reproduce it
TagsNo tags attached.
Database (MySQL,Postgres,etc)PostgreSQL
Browsern.a.
PHP Version7.1.18
TestCaseID
QA Team - Task Workflow StatusTBD
Attached Filespng file icon Screen Shot 2019-07-13 at 13.08.33.png [^] (40,085 bytes) 2019-07-13 11:12

- Relationships

-  Notes
(0028990)
danzone (reporter)
2019-07-08 10:00

Just in case: there could be the possibility of a bug in the notification mechanism, so it could send a notification email even when the new account isn't actually created?
(0029022)
fman (administrator)
2019-07-13 11:01
edited on: 2019-07-13 11:12

unfortunately, if you can not provide an example of how to reproduce the attack is very difficult to develop a remediation.

Can you provide some samples of the mails you have received?

remove the firstLogin.php file as a security measure.

just tested and got: the attached image

the attack is not using this page

(0029029)
fman (administrator)
2019-07-17 14:38

no more user feedback
(0029030)
danzone (reporter)
2019-07-17 16:40

I apologize for being so late in providing you with a feedback. Today I tried to create several accounts with curl, having disabled the self signup feature, but Testlink behaved correctly, providing me with the right response (the same you provided in the attached image). Then I tried to create with curl an account with fake data, similar to the ones we found in notification emails, and Testlink behaved correctly too, providing me with the same message.

Following some examples of notification messages we collected during the attack:

Date: Fri, 5 Jul 2019 16:29:11 +0000
To: ...
From: ...
Subject: TestLink - New Account Created
Message-ID: ...
X-Mailer: PHPMailer ... (https://github.com/PHPMailer/PHPMailer [^])
Content-Type: text/plain; charset="UTF-8"
...(several headers)...

TestLink - New Account Created
 user:
 first name: surname:
 email:


*********************************************************


Date: Fri, 5 Jul 2019 16:29:27 +0000
To: ...
From: ...
Subject: TestLink - New Account Created
Message-ID: ...
X-Mailer: PHPMailer ... (https://github.com/PHPMailer/PHPMailer [^])
Content-Type: text/plain; charset="UTF-8"
...(several headers)...

TestLink - New Account Created
 user:
 first name: surname:<?php passthru('id'); die; ?>
 email:

*********************************************************


Date: Fri, 5 Jul 2019 16:29:26 +0000
To: ...
From: ...
Subject: TestLink - New Account Created
Message-ID: ...
X-Mailer: PHPMailer ... (https://github.com/PHPMailer/PHPMailer [^])
Content-Type: text/plain; charset="UTF-8"
...(several headers)...

TestLink - New Account Created
 user:
 first name: surname:|cat /etc/passwd|
 email:
(0029031)
fman (administrator)
2019-07-17 18:18

Thanks for your answers.
What is very strange is that mails have been dispatched because of the code only will send a mail after a right user creation
I do not have any clue about how this can has happened

regards

- Issue History
Date Modified Username Field Change
2019-07-08 09:46 danzone New Issue
2019-07-08 10:00 danzone Note Added: 0028990
2019-07-13 11:01 fman Note Added: 0029022
2019-07-13 11:05 fman Note Edited: 0029022 View Revisions
2019-07-13 11:11 fman Note Edited: 0029022 View Revisions
2019-07-13 11:12 fman Note Edited: 0029022 View Revisions
2019-07-13 11:12 fman File Added: Screen Shot 2019-07-13 at 13.08.33.png
2019-07-17 14:38 fman QA Team - Task Workflow Status => TBD
2019-07-17 14:38 fman Note Added: 0029029
2019-07-17 14:38 fman Status new => closed
2019-07-17 14:38 fman Assigned To => fman
2019-07-17 14:38 fman Resolution open => unable to reproduce
2019-07-17 16:40 danzone Note Added: 0029030
2019-07-17 16:40 danzone Status closed => assigned
2019-07-17 16:40 danzone Resolution unable to reproduce => reopened
2019-07-17 18:18 fman Note Added: 0029031



Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker