Kiwi TCMS Information Disclosure Scanner

Kiwi TCMS is an open-source test management tool commonly used by QA teams and developers for managing test cases, plans, and reports. It is designed to be deployed in both enterprise and community settings where detailed testing workflows are required. The software is used in different organizations to streamline testing processes and ensure the quality of software delivery. With its web-based interface, teams can collaborate effectively on creating and managing test plans and test execution. Kiwi TCMS supports integration with various CI/CD tools which makes it valuable for DevOps environments. By offering robust reporting capabilities, it helps teams in tracking test coverage and identifying potential gaps early in the development cycle.

Information Disclosure refers to the unintended exposure of sensitive information, which could be leveraged by malicious actors. This typically involves the exposure of internal system details, user information, or other confidential data. Vulnerabilities of this type can occur due to insufficient access controls or security misconfigurations. In the context of web applications, it is often the result of excessive information being conveyed in error messages or through accessible API endpoints. An attacker exploiting this vulnerability can gain insight into the system architecture, user accounts, and possibly gather information useful for further exploitation. Identifying and sealing such information leaks are crucial in maintaining system security.

The vulnerability in Kiwi TCMS is located within the JSON-RPC interface, which could inadvertently expose sensitive internal information. The endpoint responsible is '/json-rpc/', which processes POST requests and should securely handle internal queries. The vulnerable parameters include the "method" and "params" within the JSON payload, where improper validation might permit unauthorized queries. This vulnerability specifically allows querying for active user data, inadvertently providing access to usernames through the "User.filter" method. Misconfigured or inadequate authorization checks can lead to unauthorized data access, thus exposing sensitive user information like usernames.

Exploiting this information disclosure vulnerability could have severe consequences. Attackers may use the disclosed data to perform further attacks, such as social engineering or brute force attacks on user accounts. The exposure of active usernames can aid in user enumeration, potentially increasing the attack surface. Additionally, this disclosure may lead to the revelation of internal implementation details, assisting in crafting more sophisticated attacks against the application. Such vulnerabilities underline the importance of robust access controls and vigilant monitoring of exposed interfaces.

REFERENCES

• https://hackerone.com/reports/968402
• https://kiwitcms.org/blog/kiwi-tcms-team/2020/08/23/kiwi-tcms-86/
• https://github.com/act1on3/nuclei-templates/blob/master/vulnerabilities/kiwi-information-disclosure.yaml