Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008931TestLinkTest Spec. - inline imagespublic2020-06-05 05:412020-06-15 13:04
Reporterxiaochan 
Assigned Tofman 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.9.20 
Fixed in Version1.9.20_fixed 
Summary0008931: TestLink 1.9.20 has csrf, and users can be disabled without the knowledge of the admin administrator
DescriptionTestLink has a CSRF vulnerability,which can be exploited by ordinary users to allow admin to perform operations without konwledge.
Steps To Reproduce1. Ordinary users such as test log in to the Testlink system and enter the use case editing interface
2. In the Use Case Add Step interface, select Insert Picture
3. Here the url input can only be performed by admi, such as disabling the user
http://127.0.0.1/testlink/lib/usermanagement/usersView.php?operation=disable&user=3 [^]
Click save
4. admin login testlink to browse the use case
5. It is found that the account with user user 3 has been disabled, in which user can traverse
Additional InformationOrdinary users can use csrf to let admin perform operations without knowledge. In addition to disabling users, they also include other get requests operations.
This csrf can complete the attack without using third-party websites and using Testlink's own image upload function.
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusTBD
Attached Filespng file icon TestLink _has_csrf.png [^] (214,780 bytes) 2020-06-05 05:41

- Relationships

-  Notes
(0029730)
fman (administrator)
2020-06-05 07:47

>> In addition to disabling users, they also include other get requests operations
what are all these operations?
without a detail is impossible to fix
(0029731)
xiaochan (reporter)
2020-06-05 09:52

There is also a link to delete the platform?
http://127.0.0.1/testlink/lib/platforms/platformsEdit.php?tproject_id=1&doAction=do_delete&id=2 [^]
(0029732)
fman (administrator)
2020-06-05 10:06
edited on: 2020-06-05 10:07

Tested using github branch testlink_1_9_20_fixed

1. login as admin user
2. create a new user aa with default role senior_tester
3. logout
4. login as aa
5. create test case
6. create one step, using the richweb editor add image with URL
http://testlink-dev/lib/usermanagement/usersView.php?operation=disable&user=3 [^]
7. save
8. logout
9. login as admin user
10. check users
11. nothing has changed on user with ID=3

(0029733)
fman (administrator)
2020-06-05 13:00

Please provide the rights that are present in the role of the user used for the tests.
Without this information, no other investigation can be done.
(0029738)
xiaochan (reporter)
2020-06-07 09:55

Tested using github branch testlink_1_9_20_fixed
1. login as admin user
2. Create two new users test1 and test2 with default role senior_tester
3. logout
4. login as test1
5. create test case
6. create one step, using the richweb editor add image with URL
http://testlink-dev/lib/usermanagement/usersView.php?operation=disable&user=3 [^]
Alternative Text input box input 111
7. save
8. logout
9. Log in as the admin user to view the use case created by the test user in step five
10. check users
11. User test2 with id 3 changes from active to inactive
(0029739)
fman (administrator)
2020-06-07 16:59

Thanks now is clear.
Please do not use terms that create confusion -> use case does not exist in TestLink the right term is Test Case.
(0029743)
fman (administrator)
2020-06-07 18:21

for disable user
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/5cd7d8eaaf6c5a04e8ffc203b2e91c43b815b1f9 [^]

please install, retest and provide feedback
(0029746)
xiaochan (reporter)
2020-06-08 06:27

I checked your repair plan, you fix it by judging the refer in the request header. I think this repair method can be bypassed. The specific bypass method is: construct the access path of the third-party website as: http://host/lib/usermanagement/usersView.php, [^] load an image on the interface, and write the src of the image Disable the user's request url link so that the refer that constructs the request will include "/lib/usermanagement/usersView.php"
(0029747)
fman (administrator)
2020-06-08 06:51

Hi
this is part of the risk but is a little bit mitigated, and has to be accepted as the first workaround.
(0029749)
xiaochan (reporter)
2020-06-08 07:09

It is recommended that in addition to judging the referrer of the request header, the request method should be changed from get to post
(0029750)
fman (administrator)
2020-06-08 18:25

Changing from GET to POST means lot of work, and can not be done now
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/c2fe5770c590a0bd0b4ec9b49ce3efa729acff90 [^]
(0029761)
xiaochan (reporter)
2020-06-13 12:45

Hello, can this bug apply for a cve number?
(0029762)
fman (administrator)
2020-06-13 14:09

1. have you tested this fix and is working?
2. feel free to apply for the CVE
(0029765)
xiaochan (reporter)
2020-06-15 13:04

This time your commit are fine.

- Issue History
Date Modified Username Field Change
2020-06-05 05:41 xiaochan New Issue
2020-06-05 05:41 xiaochan File Added: TestLink _has_csrf.png
2020-06-05 07:47 fman Note Added: 0029730
2020-06-05 09:52 xiaochan Note Added: 0029731
2020-06-05 10:06 fman Note Added: 0029732
2020-06-05 10:07 fman Note Edited: 0029732 View Revisions
2020-06-05 10:07 fman Assigned To => fman
2020-06-05 10:07 fman Status new => feedback
2020-06-05 13:00 fman Note Added: 0029733
2020-06-07 09:55 xiaochan Note Added: 0029738
2020-06-07 09:55 xiaochan Status feedback => assigned
2020-06-07 16:59 fman Note Added: 0029739
2020-06-07 18:21 fman Note Added: 0029743
2020-06-07 18:21 fman Status assigned => feedback
2020-06-08 06:27 xiaochan Note Added: 0029746
2020-06-08 06:27 xiaochan Status feedback => assigned
2020-06-08 06:51 fman Note Added: 0029747
2020-06-08 07:09 xiaochan Note Added: 0029749
2020-06-08 18:25 fman Note Added: 0029750
2020-06-08 18:26 fman QA Team - Task Workflow Status => TBD
2020-06-08 18:26 fman Status assigned => resolved
2020-06-08 18:26 fman Fixed in Version => 1.9.20_fixed
2020-06-08 18:26 fman Resolution open => fixed
2020-06-13 12:45 xiaochan Note Added: 0029761
2020-06-13 14:09 fman Note Added: 0029762
2020-06-15 13:04 xiaochan Note Added: 0029765



Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker