CVE-2021-40875
📋 TL;DR
CVE-2021-40875 is an improper access control vulnerability in Gurock TestRail that allows unauthenticated attackers to access the /files.md5 file, revealing application file paths. This can lead to discovery of sensitive files containing credentials, API keys, or other confidential data. Organizations using TestRail versions below 7.2.0.3014 are affected.
💻 Affected Systems
- Gurock TestRail
📦 What is this software?
Testrail by Gurock
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, API keys, or database connection strings, leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Attackers discover sensitive configuration files, extract hardcoded credentials or API keys, and gain unauthorized access to TestRail or integrated systems.
If Mitigated
Attackers can only enumerate file paths but cannot access sensitive content due to proper file permissions and network segmentation.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable endpoint. Multiple proof-of-concept scripts are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.0.3014
Vendor Advisory: https://www.gurock.com/testrail/docs/admin/howto/upgrade
Restart Required: Yes
Instructions:
1. Backup TestRail database and application files. 2. Download TestRail version 7.2.0.3014 or later from Gurock customer portal. 3. Follow official upgrade guide at https://www.gurock.com/testrail/docs/admin/howto/upgrade. 4. Restart TestRail services after upgrade.
🔧 Temporary Workarounds
Block access to /files.md5
allConfigure web server or WAF to block requests to /files.md5 endpoint
# Apache: RewriteRule ^/files\.md5$ - [F,L]
# Nginx: location = /files.md5 { return 403; }
# IIS: Add request filtering rule for /files.md5
Restrict network access
allLimit TestRail access to trusted IP addresses only
# Example firewall rule (Linux): iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
# Windows Firewall: New-NetFirewallRule -DisplayName "TestRail Access" -Direction Inbound -LocalPort 80 -RemoteAddress TRUSTED_IP -Action Allow
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TestRail from internet and untrusted networks
- Deploy web application firewall (WAF) with rules to detect and block access to sensitive file paths
🔍 How to Verify
Check if Vulnerable:
Access http://[testrail-server]/files.md5 in browser or via curl. If file listing is returned, system is vulnerable.Check Version:
Check TestRail version in Administration > Site Settings > Version or via database query: SELECT value FROM settings WHERE name = 'version'Verify Fix Applied:
Attempt to access /files.md5 endpoint after patching. Should return 403 Forbidden or similar error.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to GET /files.md5 requests
- Multiple sequential requests to discovered file paths
Network Indicators:
- Unusual traffic patterns to /files.md5 endpoint
- External IP addresses accessing sensitive file paths
SIEM Query:
source="web_server" AND (url="/files.md5" OR url CONTAINS "/files/") AND response_code=200🔗 References
- http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html
- https://github.com/SakuraSamuraii/derailed
- https://johnjhacking.com/blog/cve-2021-40875/
- https://www.gurock.com/testrail/tour/enterprise-edition
- http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html
- https://github.com/SakuraSamuraii/derailed
- https://johnjhacking.com/blog/cve-2021-40875/
- https://www.gurock.com/testrail/tour/enterprise-edition
