CVE-2024-46097
📋 TL;DR
TestLink 1.9.20 has an access control vulnerability in the TestPlan editing function that allows users with minimal privileges to view and modify all TestPlans, including administrative ones, by manipulating the tplan_id parameter. This affects all TestLink 1.9.20 installations where users have access to create or edit TestPlans.
💻 Affected Systems
- TestLink
📦 What is this software?
Testlink by Testlink
⚠️ Risk & Real-World Impact
Worst Case
An attacker with basic user privileges could modify or delete all TestPlans in the system, including administrative ones, potentially disrupting testing workflows, leaking sensitive test data, or compromising test integrity.
Likely Case
Users with minimal permissions can view and modify TestPlans they shouldn't have access to, leading to unauthorized data access and potential test manipulation.
If Mitigated
With proper access controls and input validation, users would only be able to access TestPlans they're authorized to edit.
🎯 Exploit Status
Exploitation requires authenticated access but minimal privileges. The vulnerability is simple to exploit by modifying the tplan_id parameter in edit requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Implement Access Control Validation
allAdd server-side validation to check user permissions before allowing TestPlan edits
Modify TestPlan editing functions to verify user has proper permissions for the requested tplan_id
Input Validation for tplan_id
allValidate that users can only access TestPlans they're authorized to edit
Implement parameter validation in editTestPlan.php or equivalent endpoint
🧯 If You Can't Patch
- Restrict TestPlan creation and editing permissions to trusted administrators only
- Implement network segmentation to isolate TestLink instances from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Create a TestPlan as a low-privilege user, note the tplan_id, then attempt to edit another TestPlan by changing the tplan_id parameter in the edit request.Check Version:
Check TestLink version in the application interface or configuration filesVerify Fix Applied:
After implementing fixes, attempt the same exploitation steps - you should receive an access denied error when trying to edit unauthorized TestPlans.📡 Detection & Monitoring
Log Indicators:
- Multiple failed access attempts to different tplan_id values from same user
- User accessing TestPlans outside their normal scope
Network Indicators:
- HTTP requests with manipulated tplan_id parameters
- Unusual pattern of TestPlan edit requests
SIEM Query:
source="testlink" AND (action="edit" OR action="modify") AND tplan_id NOT IN authorized_list