Insecure Direct Object Reference in TestLink Open Source Test Management

Project Description

The TestLink Open Source Test Management software suffers from an insecure direct object reference vulnerability. An unauthenticated user can gain access to all referenced files which are produced by different test cases.


Vendor description

“TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically.”

Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code

Business recommendation

SEC Consult advises to immediately install the available updates as attackers might gain access to sensitive data belonging to other users.

A thorough security review performed by security professionals is highly recommended in order to identify potential further security deficiencies.

Vulnerability overview/description

1) Insecure Direct Object Reference

An unauthenticated user can gain access to referenced files which are produced by different test cases. By using a simple ID iterator, all produced output data can be gathered from the whole system.

The actual impact strongly depends on the classification of the produced data which is referenced. Therefore, the risk can vary from low to critical depending on the use case.

Proof of concept

1) Insecure Direct Object Reference

An unauthenticated attacker can download data from the TestLink environment by using the following url:
http://<IP-Address>/lib/attachments/attachmentdownload.php?skipCheck=1&id=<ID>

The tag <IP-Address> specifies the target address and can also include a sub-folder where the hosted TestLink application is located.

Vulnerable / tested versions

The following versions have been tested and are vulnerable. It is assumed that older versions are affected as well, e.g.:

  • 1.9.16
  • 1.9.15
  • 1.9.14

Vendor contact timeline

2017-10-18: Contacting vendor through http://mantis.testlink.org
Vendor requested the information.
2017-10-19: Asked if the advisory should be uploaded to mantis directly.
2017-10-21: Contact agreed.
2017-10-23: Uploaded the advisory to mantis.
2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for 1.9.15 and 1.9.14 too. Vendor asked us for verification.
2017-11-07: Stated that verification is not possible at the moment (no test instance) and that it can be verified easily with the PoC
2018-01-09: Asked for status update; No answer.
2018-01-29: Asked for status update; No answer.
2018-02-16: Asked for status update.
2018-02-17: Vendor responded that we can re-check the fix or release the advisory.
2018-02-19: Asked the vendor for reachable test-instance, reply: there is no test instance
2018-02-28: Public release of security advisory

Solution

Check-out the current testlink-code on branch “testlink_1_9”:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/

The following commit contains the fix since 2017-11-01:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d

Upgrade to 1.9.17 (after November 2017).

Workaround

Restrict network access and do not expose the TestLink interface to the internet.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF T.Weber / @2018

Project Details

  • TitleInsecure Direct Object Reference
  • ProductTestLink Open Source Test Management
  • Vulnerable version<1.9.17
  • Fixed version1.9.17 (after November 2017), and the current "testlink_1_9" branch
  • CVE number-
  • ImpactMedium
  • Homepagehttp://testlink.org/
  • Found2017-09-22
  • ByT. Weber (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back