TestLink Default Credentials Scanner

TestLink is a widely used open-source test management tool. It is utilized by software development teams across various industries to manage and track software testing efforts. The application provides features for test case creation, test execution, and requirement specification. TestLink facilitates improved collaboration between developers and testers by allowing them to share and communicate on testing progress. The software is particularly beneficial for medium to large projects that require extensive testing. By centralizing testing data, TestLink helps in ensuring comprehensive coverage and effective management of testing resources.

The vulnerability associated with this scanner involves the use of default credentials in TestLink. Using default credentials poses a significant security risk as unauthorized users can easily gain access. The scanner attempts to log into TestLink using the default username and password, which are often ‘admin’ and ‘admin’. If successful, it indicates that the default credentials have not been changed. This vulnerability can lead to unauthorized access and potential exposure of sensitive testing data. The effective management of credentials is crucial to secure TestLink environments against unauthorized use.

Technical details of this vulnerability involve accessing the login endpoint of TestLink. The scanner performs an HTTP POST request to the '/testlink/login.php' endpoint using default credential payloads. If the default credentials input successfully returns a status indicating '200' and certain key phrases like "Users/Roles" are present in the response, the vulnerability is confirmed. This response indicates access to the TestLink dashboard has been achieved using default login details. The parameters 'tl_login' and 'tl_password' are specifically targeted with default values in the payloads for this check.

If this vulnerability is exploited, it can lead to unauthorized access to the test management system. Malicious users could modify or delete critical test data, potentially disrupting project timelines. Confidential information managed within TestLink might be exposed, leading to a breach of data integrity and confidentiality. This can further escalate into reputational damage and operational inefficiencies. Sensitive project details might be exploited for industrial espionage.