I am unable to exploit this with any user except admin, so I am curious how you were able to come to the conclusion that any user who could sign up would be able to exploit these...
"Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.'" Even capturing the vulnerable requests with burp and cookie swapping with my newly-created user (whom is guest by default), I was hit with RBAC. On Wed, Oct 1, 2014 at 11:38 AM, Portcullis Advisories < advisor...@portcullis-security.com> wrote: > Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink > CVE: CVE-2014-5308 > Vendor: Testlink > Product: TestLink > Affected version: 1.9.11 > Fixed version: Fixed in SVN commit number 7a09973 > Reported by: Jerzy Kramarz > > Details: > > Two SQL injection vulnerabilities have been found and confirmed within the > software as an authenticated user. A successful attack could allow an > authenticated attacker to access information such as usernames and password > hashes that are stored in the database. The following URLs and parameters > have been confirmed to suffer from Multiple SQL injections: > > Vulnerability 1 (Fixed in commit #7a09973 in official repository) > > <pre> > > POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1 > Host: 192.168.56.101 > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 > Firefox/30.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > DNT: 1 > Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php > Cookie: [...] > Connection: keep-alive > Content-Type: application/x-www-form-urlencoded > Content-Length: 200 > > CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL > Injection>&search=Search%2FFilter > > </pre> > > Vulnerability 2 (Fixed in patches after commit #7a09973 in official > repository) > > <pre> > > POST /testlink/lib/events/eventinfo.php HTTP/1.1 > Content-Length: 6 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip,deflate > Host: 192.168.56.101 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 > Firefox/30.0 > DNT: 1 > Connection: close > Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php > Pragma: no-cache > Cache-Control: no-cache > X-Requested-With: XMLHttpRequest > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; > ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}} > > id=123<SQL Injection> > > </pre> > > Note:'Any user can create account for the application in > 'testlink/firstLogin.php' page hence its possible to exploit aforementioned > SQL injections without prior knowledge of the authentication details.' > > Further details at: > > > https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/ > > > Copyright: > Copyright (c) Portcullis Computer Security Limited 2014, All rights > reserved worldwide. Permission is hereby granted for the electronic > redistribution of this information. It is not to be edited or altered in > any way without the express written consent of Portcullis Computer Security > Limited. > > Disclaimer: > The information herein contained may change without notice. Use of this > information constitutes acceptance for use in an AS IS condition. There are > NO warranties, implied or otherwise, with regard to this information or its > use. Any use of this information is at the user's risk. In no event shall > the author/distributor (Portcullis Computer Security Limited) be held > liable for any damages whatsoever arising out of or in connection with the > use or spread of this information. > > > ############################################################### > This email originates from the systems of Portcullis > Computer Security Limited, a Private limited company, > registered in England in accordance with the Companies > Act under number 02763799. The registered office > address of Portcullis Computer Security Limited is: > Portcullis House, 2 Century Court, Tolpits Lane, Watford, > United Kingdom, WD18 9RS. > The information in this email is confidential and may be > legally privileged. It is intended solely for the addressee. > Any opinions expressed are those of the individual and > do not represent the opinion of the organisation. Access > to this email by persons other than the intended recipient > is strictly prohibited. > If you are not the intended recipient, any disclosure, > copying, distribution or other action taken or omitted to be > taken in reliance on it, is prohibited and may be unlawful. > When addressed to our clients any opinions or advice > contained in this email is subject to the terms and > conditions expressed in the applicable Portcullis Computer > Security Limited terms of business. > ############################################################### > > > ##################################################################################### > This e-mail message has been scanned for Viruses and Content and cleared > by MailMarshal. > > ##################################################################################### > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
