Unrestricted Upload of File with Dangerous Type in Gurock’s TestRail (CVE-2018-20063)

In TestRail (tested on 5.6.0.3853) an unrestricted file upload vulnerability exists. You need an account that can create a section/test/etc where you can upload a picture. If the file upload directory is accessible by webserver configuration, all uploaded files can be executed.

Also in some cases you need an administrative account to make a configuration changes (check last part of the article).


Disclaimer

I tried to contact Gurock multiple times but they decided that it’s not really important to fix that issue so I decided to make a full disclosure about this vulnerability. Here is a timeline:

15.08.2018 — Found vulnerability and contacted Gurock.

11.12.2018 — Received a CVE-ID CVE-2018–20063.

12.12.2018 — No answer received, finished an unlisted article on Medium and sent a link to Gurock once more, received an answer.

12.12–21.12 — Multiple messages from Gurock that this vulnerability isn’t important and cannot be exploited (but they were talking about fixing this vulnerability).

21.12.2018 — Last message from Gurock about that there is will be an update soon.

22.02.2019 — Public version of this article.

25.02.2019 — CVE information is now public.


Step-by-step guide

Enter section creation menu

Click on “Add Images” icon

Drag’n’drop image file, intercept request and change file extension to .php.

After uploading process you will get a link to the file

The real file path will be {upload_dir}/N.{original_filename} where N is an index of uploaded file. Now you can see executing phpinfo(); after visiting uploaded file by real path.

What if attachment directory is not directly accessible?

In official guide there is a point that you have to set up attachment directory that is not directly accessible via web but if you got administrative rights you can change it here to the any writable directory on web server. As result all uploaded files will be accessible to anyone.