Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008895TestLinkSecurity - Generalpublic2020-04-04 15:422020-04-05 19:32
Reporterdorkerdevil 
Assigned Tofman 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformwindowsOSwin 10OS VersionVersion 80.0.398
Product Version1.9.20 
Fixed in Version1.9.20_fixed 
Summary0008895: plain username and password disclosure
Descriptionunescaped character in the hidden input tag of csrf token (img1.png)
which leads to username and password disclosure in plain text url.

Steps To Reproducevisit
http://127.0.0.1/testlink/login.php?viewer=%22%3E%3E [^]

which shows
>" method="post" class="form form--login">

above login parameters

upon looking at the source i found this

<input type='hidden' name='CSRFToken' value='54f0a74bb73bb2c08b8007af3523a191f51ff4929c18f77d21283fa19de9a4a96bc81299aeca017b4796a2c1a5f33df129db0a8afc9f72a57a9746ac26e09bce' />>" method="post" class="form form--login">

as u can see the extra >>" after /

now once you click on login

look at the url (img2.png)

#take a look at attached images

Additional InformationThis way a attacker can perform mitm or can simply view and steal the username and password easily.
TagsNo tags attached.
Database (MySQL,Postgres,etc)mysql
Browserchrome
PHP Version5.0.1
TestCaseID
QA Team - Task Workflow StatusREADY FOR TESTING
Attached Filespng file icon img1.png [^] (66,014 bytes) 2020-04-04 15:42


png file icon img2.png [^] (75,982 bytes) 2020-04-04 15:42

- Relationships

-  Notes
(0029562)
fman (administrator)
2020-04-04 17:59

thanks going to check
(0029564)
fman (administrator)
2020-04-04 18:03

may I ask you to get code from github branch testlink_1_9_20_fixed, and retest?

it seems the extra > is not there

regards
(0029565)
dorkerdevil (reporter)
2020-04-04 18:09

ok

- Issue History
Date Modified Username Field Change
2020-04-04 15:42 dorkerdevil New Issue
2020-04-04 15:42 dorkerdevil File Added: img1.png
2020-04-04 15:42 dorkerdevil File Added: img2.png
2020-04-04 17:59 fman Note Added: 0029562
2020-04-04 18:03 fman Note Added: 0029564
2020-04-04 18:04 fman Assigned To => fman
2020-04-04 18:04 fman Status new => feedback
2020-04-04 18:09 dorkerdevil Note Added: 0029565
2020-04-04 18:09 dorkerdevil Status feedback => assigned
2020-04-05 09:57 fman QA Team - Task Workflow Status => READY FOR TESTING
2020-04-05 09:57 fman Status assigned => resolved
2020-04-05 09:57 fman Fixed in Version => 1.9.20_fixed
2020-04-05 09:57 fman Resolution open => fixed
2020-04-05 19:32 fman Relationship added related to 0008878



Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker