Executive Summary

This vulnerability affects TestLink versions 1.16 through 1.19 and involves an unauthenticated file download issue in the attachmentdownload.php script. Attackers can exploit this by sending requests with the 'id' parameter (representing file IDs) and 'skipCheck=1' to bypass session validation and access controls, allowing them to download arbitrary files without authentication. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to download arbitrary files from the TestLink server without authentication. This can lead to unauthorized access to potentially sensitive or confidential attachments, exposing private information and compromising data security. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the attachmentdownload.php endpoint with the 'id' parameter and 'skipCheck=1' without authentication. For example, you can use curl commands to test if arbitrary files can be downloaded by iterating file IDs. A sample command is: curl -i "http://HOST/lib/attachments/attachmentdownload.php?id=1&skipCheck=1". By incrementing the 'id' parameter, you can check if files are accessible without authentication, indicating the vulnerability. [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the attachmentdownload.php endpoint to authenticated users only, disabling or removing the 'skipCheck=1' parameter functionality, and applying any available patches or updates from the vendor. Additionally, consider implementing web application firewall (WAF) rules to block unauthorized requests to this endpoint and monitor access logs for suspicious activity. [1, 3]

Useful 0 Not Useful 0