Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormOmar KurtPACKETSTORM:133890
HistoryOct 07, 2015 - 12:00 a.m.

TestLink 1.9.13 SQL Injection

2015-10-0700:00:00
Omar Kurt
packetstormsecurity.com
14

EPSS

0.001

Percentile

50.8%

JSON
`Information  
--------------------  
Advisory by Netsparker.  
Name: SQL Injection Vulnerability in TestLink 1.9.13  
Affected Software : TestLink  
Affected Versions: 1.9.1.3 and possibly below  
Vendor Homepage : http://testlink.org/  
Vulnerability Type : SQL Injection  
Severity : Critical  
Status : Fixed  
CVE-ID : CVE-2015-7390  
Netsparker Advisory Reference : NS-15-015  
  
Description  
--------------------  
If your web application is vulnerable to SQL injection, a hacker is  
able to execute any malicious SQL query or command through the web  
application.  
  
Technical Details  
--------------------  
Proof of Concept URLs for SQL Injection vulnerability in TestLink:  
  
Page: lnl.php  
Parameter Name: apikey  
Parameter Type: GET  
Attack Pattern: '+(SELECT 1 FROM (SELECT SLEEP(25))A)+'  
  
For more information on SQL Injection vulnerabilities read the  
following article:  
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/sql-injection/  
  
Advisory Timeline  
--------------------  
15/09/2015 - First Contact  
02/10/2015 - Vendor Fixed  
05/10/2015 - Advisory Released  
  
Solution  
--------------------  
https://github.com/TestLinkOpenSourceTRMS/testlink-code/releases/tag/1.9.14  
  
Credits & Authors  
--------------------  
These issues have been discovered by Omar Kurt while testing  
Netsparker Web Application Security Scanner  
(https://www.netsparker.com).  
  
About Netsparker  
--------------------  
Netsparker web application security scanners find and report security  
flaws and vulnerabilities such as SQL Injection and Cross-site  
Scripting (XSS) in all websites and web applications, regardless of  
the platform and technology they are built on. Netsparker scanning  
engine’s unique detection and exploitation techniques allow it to be  
dead accurate in reporting vulnerabilities, hence it does not report  
any false positives. The Netsparker web application security scanner  
is available in two editions; Netsparker Desktop and Netsparker Cloud.  
Visit our website https://www.netsparker.com for more information.  
  
--   
Onur YΔ±lmaz - National General Manager  
  
Netsparker Web Application Security Scanner  
T: +90 (0)554 873 0482  
`

Related

securityvulns 2
nvd 1
cvelist 1
cve 1
prion 1
zdt 1
securityvulns
securityvulns
TestLink Security Advisory - SQL Injection Vulnerability - CVE-2015-7390
2015-10-26 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2015-10-26 00:00:00
nvd
nvd
CVE-2015-7390
2017-09-26 15:29:00
cvelist
cvelist
CVE-2015-7390
2017-09-26 15:00:00
cve
cve
CVE-2015-7390
2017-09-26 15:29:00
prion
prion
Sql injection
2017-09-26 15:29:00
zdt
zdt
TestLink 1.9.13 Cross Site Scripting / SQL Injection Vulnerabilities
2015-10-07 00:00:00

EPSS

0.001

Percentile

50.8%

JSON
Related for PACKETSTORM:133890
securityvulns2nvd1cvelist1cve1prion1zdt1