CVE-2008-5807

Step 1: Payload Delivery: An attacker crafts a malicious payload containing JavaScript code (e.g., <script>alert('XSS')</script>) or HTML code.

Step 2: Input Injection: The attacker injects the crafted payload into a vulnerable input field, such as the 'Testproject Name' or 'Testplan Name' fields within TestLink.

Step 3: Data Storage: The injected payload is stored in the TestLink database, associated with the project or test plan.

Step 4: Output Rendering: When a legitimate user views the project or test plan, the application retrieves the stored data from the database.

Step 5: Script Execution: The application renders the data, including the attacker's injected payload, in the user's web browser without proper sanitization or encoding. The browser then executes the malicious JavaScript code.

Step 6: Exploitation: The executed JavaScript code can perform various malicious actions, such as stealing user cookies, redirecting the user to a phishing site, or defacing the website.

The vulnerability stems from insufficient input validation and output encoding in TestLink versions prior to 1.8 RC1. Specifically, the application fails to properly sanitize user-supplied data, such as project names, test plan names, and potentially test case prefixes, before rendering them in the web browser. This allows attackers to inject arbitrary HTML and JavaScript code. The root cause is a lack of input sanitization and output encoding (e.g., HTML escaping) of user-provided data. The application trusts user input without proper validation, leading to the execution of malicious scripts within the context of the vulnerable website. The flaw resides in the planEdit.php and potentially projectview.tpl files, where user-supplied data is directly incorporated into the HTML output.