SEC Consult Vulnerability Lab Security Advisory < 20180228-0 > ======================================================================= title: Insecure Direct Object Reference product: TestLink Open Source Test Management vulnerable version: <1.9.17 fixed version: 1.9.17 (after November 2017), and the current "testlink_1_9" branch CVE number: - impact: Medium homepage: http://testlink.org/ found: 2017-09-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically." Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code Business recommendation: ------------------------ SEC Consult advises to immediately install the available updates as attackers might gain access to sensitive data belonging to other users. A thorough security review performed by security professionals is highly recommended in order to identify potential further security deficiencies. Vulnerability overview/description: ----------------------------------- 1) Insecure Direct Object Reference An unauthenticated user can gain access to referenced files which are produced by different test cases. By using a simple ID iterator, all produced output data can be gathered from the whole system. The actual impact strongly depends on the classification of the produced data which is referenced. Therefore, the risk can vary from low to critical depending on the use case. Proof of concept: ----------------- 1) Insecure Direct Object Reference An unauthenticated attacker can download data from the TestLink environment by using the following url: http:///lib/attachments/attachmentdownload.php?skipCheck=1&id= The tag specifies the target address and can also include a sub- folder where the hosted TestLink application is located. Vulnerable / tested versions: ----------------------------- The following versions have been tested and are vulnerable. It is assumed that older versions are affected as well, e.g.: * 1.9.16 * 1.9.15 * 1.9.14 Vendor contact timeline: ------------------------ 2017-10-18: Contacting vendor through http://mantis.testlink.org Vendor requested the information. 2017-10-19: Asked if the advisory should be uploaded to mantis directly. 2017-10-21: Contact agreed. 2017-10-23: Uploaded the advisory to mantis. 2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for 1.9.15 and 1.9.14 too. Vendor asked us for verification. 2017-11-07: Stated that verification is not possible at the moment (no test instance) and that it can be verified easily with the PoC 2018-01-09: Asked for status update; No answer. 2018-01-29: Asked for status update; No answer. 2018-02-16: Asked for status update. 2018-02-17: Vendor responded that we can re-check the fix or release the advisory. 2018-02-19: Asked the vendor for reachable test-instance, reply: there is no test instance 2018-02-28: Public release of security advisory Solution: --------- Check-out the current testlink-code on branch "testlink_1_9": https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/ The following commit contains the fix since 2017-11-01: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d Upgrade to 1.9.17 (after November 2017). Workaround: ----------- Restrict network access and do not expose the TestLink interface to the internet. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/about-us/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T.Weber / @2018