OpenRedirect leads to XSS attack in login.php #314
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ontents when executing test cases
… selection for next login
…lways applied creating an empty tree
The current year is probably a better year than almost a decade ago ;)
… roles" and "Assign Test Plan roles"
…esn't work (PHP compatibility)
…w link implementation between requirements and test cases (#300) * fix: #0009038: Make the 'Requirements based report' compliant with new link implementation between requirements and test cases Due to 1.9.18 changes concerning links between requirements and test cases, we change the report to work at version level. * fix: #0009038: Exclude of the report requirements with no linked (non obsolete) Test Case
…ix (#301) Due to 1.9.18 changes concerning links between requirements and test cases, we update and add methods to be able to retrieve a requirements coverage matrix. 1- getRequirements - retrieve all requirements 2- getRequirement - for a requirement, get a version (the last one by default) 3- getReqCoverage - for a requirement version, get the test cases linked with it
I think the function getIssueTrackerSystem has two issues, which I hope to correct with this request: 1. the return value of authenticate() is not checked, therefore even with wrong dev key the issue tracker data is sent out, leaking e.g. credentials for the issue tracker to anyone 2. a check if the user has the permission to view issue tracker info was missing
#207) * TICKET 0008715: Add a method to retrieve all requirements linked to a given test case Change-Id: Ib9c417f572306dbff9fbe31b3a0a8e32c7c03704 * Add rights check for getTestCaseRequirements * Add PHP tests for clientGetTestCaseRequirements * Review the method to retrieve requirements to be compliant with the new way to link TC and requirements Co-authored-by: atisne <[email protected]>
…o Test Case Specification
…o Test Case Specification
…en linking with an existing issue (#310) We can define a template for an execution note ($tlCfg->execution_template->notes) to automatically populate some contextual information. This template is used when creating a new external issue from a Testlink bug (using the 'Create issue' icon). But it is not used when we want to link a Testlink bug to an existing external issue (using the 'Link existent issue' icon). We now also use this template in the case of linking.
…rsion ID as inputs. (#312) When we use the option getPrefix, the way to retrieve the project prefix is not compliant with all these kind of inputs.
It may be useful to add some contextual information concerning the test case used in the execution note template. We add the patterns %%TCNAME%% (test case name) and %%TCEXTID%% (prefixed test case external ID) that can be substituted in the note template.
hi-unc1e
changed the title
|
master branch is not the right one |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi, guys
While I using testlink I had noticed that an arbitrary open redirect is not validating properly which may lead to credentials stolen of the user (self-xss).
Personally I prefer to split them into 2 vulns, Here's what i found
0x01 the vulnerable regex -> Unvalidated Redirects and Forward
Related code lies in login.php#371 , which is shown as follows
the regex-expression
/linkto.php/stands for the combination of[linkto]{1}+[\w]{1}+[php]{1}, in which.can be replaced by any signle character, so as a consequence.These input could pass the validation, and reflected in the HTTP response when a user succeed in logining.
So the mediation may be like
/^linkto\.php$/, according to what your need.What happened next may elevate this risk to a High-Level vuln.
0x02 Improper XSS validation
While deeply analysing the function of
redirect(), i noticed an odd implementation.ONLY
addslashesis used, which is SURELY NOT ENOUGH and VULNERABLE to XSS attack.Which means if I craft a XSS payload in the URL, it could execute any Javascript Code in victim's browser, certainly after he's logged in.
Putting together
So the senario is:
http://testlink/login.php?viewer=123&destination=</script>linkto.php<script>alert(/xss/);//Mediation
For 0x01, you should validate the
$destinationproperly according to Unvalidated_Redirects_and_Forwards_Cheat_SheetFor 0x02, you should escape the user-input data (
htmlspecialchars()for instance ) properly, according to Cross_Site_Scripting_Prevention_Cheat_Sheet.html