Is a web-based test management system that facilitates software quality assurance. It is developed and maintained by Teamtest. The platform offers support for test cases, test suites, test plans, test projects and user management, as well as various reports and statistics.
In order to check the authorization mechanism, we search in code the session_start() assignment
We note the function "testLinkInitPage" and its arguments, catches our attention the arguments "dontCheckSession" and "userRightsCheckFunction",
then we search for TestLinkInitPage with his third argument setting as true, because we don't wanna to check our session (LOL we don't have)
Its seems that the files "attachmentdownload.php", "lnl.php" and "execPrint.php" don't check the user session, reading in deep on functions in these files,
we keep the file "attachmentdownload.php", let's see
It's assing id (of attachment), and skipcheck as variables directly from users requests, and no check users session, so we try to pass these values to construct a request to
on our lab:
on real pentester day's:
not really by the vendor, because that:
but for pentester's life is a good point.
"http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1"Share on Twitter Share on Facebook