Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008808TestLinkSecurity - XSSpublic2019-12-02 16:302020-01-01 15:26
ReporterSudoka 
Assigned Tofman 
PriorityhighSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.9.19.01 (1.9.19 fixes) 
Fixed in Version1.9.20 
Summary0008808: TestLink v1.9.19.1 - Bypass security fix for XSS at index.php
DescriptionIn the commit https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/0e3e907990f40483c0cd850744bc995011826799, [^] the function strpos is used to check the parameter reqURI whether it contains the word "javascript".

However, strpos is case-sensitive, which means we can bypass it by using "jAvascript", "javaScript",...

For example, accessing the URL /index.php?reqURI=jAvascript:alert('XSS') will still trigger the XSS payload.

I suggest using the function stripos instead.
TagsNo tags attached.
Database (MySQL,Postgres,etc)N/A
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Files

- Relationships

-  Notes
(0029319)
fman (administrator)
2019-12-05 17:59

Hi, thanks a lot
(0029373)
Sudoka (reporter)
2020-01-01 04:05

Hi,
It's fixed.
Could I get a CVE number for this bug?
Thank you in advance and Happy New Year!
(0029376)
fman (administrator)
2020-01-01 15:26

Ok, go ahead

- Issue History
Date Modified Username Field Change
2019-12-02 16:30 Sudoka New Issue
2019-12-05 17:59 fman Note Added: 0029319
2019-12-31 14:11 fman QA Team - Task Workflow Status => READY FOR TESTING
2019-12-31 14:11 fman Status new => resolved
2019-12-31 14:11 fman Fixed in Version => 1.9.20
2019-12-31 14:11 fman Resolution open => fixed
2019-12-31 14:11 fman Assigned To => fman
2020-01-01 04:05 Sudoka Note Added: 0029373
2020-01-01 15:26 fman Note Added: 0029376



Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker