Unauthorized File Download (Attached files) - TestLink (1.16 <= 1.19)


What is TestLink?

Is a web-based test management system that facilitates software quality assurance. It is developed and maintained by Teamtest. The platform offers support for test cases, test suites, test plans, test projects and user management, as well as various reports and statistics.


  • User roles and management
  • Grouping of test cases in test specifications
  • Test plans
  • Platforms
  • Requirements with versioning and revisioning
  • Support for testing different builds of the software
  • Reports, charts and monitors
  • Customization of the user interface using Smarty Templates
  • Integration with LDAP
  • Integration with other software using a provided API
  • Bug tracking system integration (Mantis, Jira and others)

Vendor: https://testlink.org/

Look at the source!

In order to check the authorization mechanism, we search in code the session_start() assignment

session start

We note the function "testLinkInitPage" and its arguments, catches our attention the arguments "dontCheckSession" and "userRightsCheckFunction",

then we search for TestLinkInitPage with his third argument setting as true, because we don't wanna to check our session (LOL we don't have)

possible vulns?

Its seems that the files "attachmentdownload.php", "lnl.php" and "execPrint.php" don't check the user session, reading in deep on functions in these files,

we keep the file "attachmentdownload.php", let's see


It's assing id (of attachment), and skipcheck as variables directly from users requests, and no check users session, so we try to pass these values to construct a request to 


on our lab:

files stored on lab server

file downloaded

on real pentester day's:

Really a bug?

not really by the vendor, because that:

but for pentester's life is a good point.



Currently unrated


There are currently no comments

New Comment


required (not published)