Vendor Description
“TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically.”
Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code
Business Recommendation
SEC Consult advises to immediately install the available updates as attackers might gain access to sensitive data belonging to other users.
A thorough security review performed by security professionals is highly recommended in order to identify potential further security deficiencies.
Vulnerability Overview/ Description
1) Insecure Direct Object Reference
An unauthenticated user can gain access to referenced files which are produced by different test cases. By using a simple ID iterator, all produced output data can be gathered from the whole system.
The actual impact strongly depends on the classification of the produced data which is referenced. Therefore, the risk can vary from low to critical depending on the use case.
Proof Of Concept
1) Insecure Direct Object Reference
An unauthenticated attacker can download data from the TestLink environment by using the following url:
<IP-Address>/lib/attachments/attachmentdownload.php;
The tag <IP-Address> specifies the target address and can also include a sub-folder where the hosted TestLink application is located.
Vulnerable / Tested Versions
The following versions have been tested and are vulnerable. It is assumed that older versions are affected as well, e.g.:
- 1.9.16
- 1.9.15
- 1.9.14