TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network. This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost".

This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost". There is one interesting thing about TestLink is, any user can access "install/installNewDB.php" web page and can perform Re-Installation by specifying valid Remote MySQL server credentials. This is strange behaviour because generally CMSs or other self-installing script does not allow user to do so if it is connected to a database having content in it. Now, attacker can take advantage of this behaviour. Attacker just need to intercept the POST method HTTP request in which TesLink is trying to connect to remote/local SQL server.

In the HTTP request, we have HTTP POST method parameter "databasehost" which actually contains the "localhost" or remote_IP value. But if we change the value to "localhost:port" or "internal_IP:port" or "external_IP:port", script try to connect to the server on the port specified. For example, value is "localhost:445", script is trying to connect to localhost on port 445. Here, if machine is having port 445 open, script connects to port 445 but as we know port is running SMB service and SQL server is not there, script consider that SQL server is dead on this port. Script print SQL server message "MySQL server has gone away" (in my case it was MySQL). Another case, if we specify the value of "databasehost" parameter as "localhost:1337" and here port 1337 is not open, script shows SQL server error message " No connection could be made because the target machine actively refused it." which clearly indicates that port 1337 is not open.

Let's consider case of internal IP on same network. We have server IP 192.168.56.101 which is hosting TestLink code hosted on it and one Linux server with IP 192.168.56.105 having SSH port open on it. If we specify the value of "databasehost" parameter as "192.168.56.105:22", TestLink script try to connect to IP 192.168.56.105 on Port 22 and print SQL server message "MySQL server has gone away" as port s open but it's having SSH running on it. This error message indicates that port on IP 192.168.56.105 is open.

Now consider one more case in which we don't have any machine with IP 192.168.56.145 on network and we try to connect on any port, script responds with SQL server message " A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond" which indicates that IP is not live.

Above scenario can be use to demonstrate the issue of scanning network IPs and their open ports by an attacker using TestLink script.

1. Configure your web browser with any proxy software (i am using Burp Suite).
2. Access below mentioned URL in web browser and click "Continue" button: http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on
3. Turn on Burp Interception.
4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button.
5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination.
6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater.
7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away".
8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater.
9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond".

Vulnerable Testlink installation directory is "http://localhost/testlink-1.9.19/". Target which we are scanning is: 192.168.0.2

Result after finishing the scanning

--==[[ Greetz To ]]==--

Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash

--==[[Love to]]==--

My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri, Thecolonial and Don(Deepika kaushik)