Insecure Direct Object Reference in TestLink Open Source Test Management

Project Description

The TestLink Open Source Test Management software suffers from an insecure direct object reference vulnerability. An unauthenticated user can gain access to all referenced files which are produced by different test cases.

Vendor description

“TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically.”


Business recommendation

SEC Consult advises to immediately install the available updates as attackers might gain access to sensitive data belonging to other users.

A thorough security review performed by security professionals is highly recommended in order to identify potential further security deficiencies.

Vulnerability overview/description

1) Insecure Direct Object Reference

An unauthenticated user can gain access to referenced files which are produced by different test cases. By using a simple ID iterator, all produced output data can be gathered from the whole system.

The actual impact strongly depends on the classification of the produced data which is referenced. Therefore, the risk can vary from low to critical depending on the use case.

Proof of concept

1) Insecure Direct Object Reference

An unauthenticated attacker can download data from the TestLink environment by using the following url:

The tag <IP-Address> specifies the target address and can also include a sub-folder where the hosted TestLink application is located.

Vulnerable / tested versions

The following versions have been tested and are vulnerable. It is assumed that older versions are affected as well, e.g.:

  • 1.9.16
  • 1.9.15
  • 1.9.14

Vendor contact timeline

2017-10-18:Contacting vendor through
Vendor requested the information.
2017-10-19:Asked if the advisory should be uploaded to mantis directly.
2017-10-21:Contact agreed.
2017-10-23:Uploaded the advisory to mantis.
2017-11-01:Contact provided a fix for 1.9.16. Fixes will be created for 1.9.15 and 1.9.14 too. Vendor asked us for verification.
2017-11-07:Stated that verification is not possible at the moment (no test instance) and that it can be verified easily with the PoC
2018-01-09:Asked for status update; No answer.
2018-01-29:Asked for status update; No answer.
2018-02-16:Asked for status update.
2018-02-17:Vendor responded that we can re-check the fix or release the advisory.
2018-02-19:Asked the vendor for reachable test-instance, reply: there is no test instance
2018-02-28:Public release of security advisory


Check-out the current testlink-code on branch “testlink_1_9”:

The following commit contains the fix since 2017-11-01:

Upgrade to 1.9.17 (after November 2017).


Restrict network access and do not expose the TestLink interface to the internet.

Advisory URL



EOF T.Weber / @2018

Project Details

  • TitleInsecure Direct Object Reference
  • ProductTestLink Open Source Test Management
  • Vulnerable version<1.9.17
  • Fixed version1.9.17 (after November 2017), and the current "testlink_1_9" branch
  • CVE number-
  • ImpactMedium
  • Homepage
  • Found2017-09-22
  • ByT. Weber (Office Vienna) | SEC Consult Vulnerability Lab