COMMAND

    TestTrack

SYSTEMS AFFECTED

    Win systems running TestTrack

PROBLEM

    Fabien Royer found following.  TestTrack, a bug tracking  software
    made by Seapine  Software has a  number of security  problems that
    allow an attacker to acquire userids and passwords in clear  text.
    TestTrack also has  an implementation flaw  that allows anyone  to
    peg the CPU of the machine running the TestTrack server to 100%.

    Attacker may be  able to remotely  break the TestTrack  server and
    peg the CPU of the server  hosting it at 100%.  Here's  how: using
    telnet,  connect  to  port  99  of  the  TestTrack  server,   then
    disconnect without typing  any data.   As soon as  you disconnect,
    the CPU jumps  to 100%.   The only way  to get it  back down is to
    kill  the  TestTrack  server  from  the  task  manager.   You  may
    reproduce the same thing with  ttcgi.exe.  Login to the  TestTrack
    server using the web interface and start working normally.   While
    working from the WEB browser, connect to port 99 of the  TestTrack
    server using telnet and do nothing.  From the WEB browser, attempt
    any operation, like adding a new bug report.  As soon as you  add,
    the  WEB  browser  sits  there,  because  the telnet connection is
    blocking it.   The TestTrack server  is not capable  of processing
    more than one request at a time.

    Now, if you stop the activity of the WEB browser, you will see  in
    the task manager  that the ttcgi.exe  process is still  there!  If
    you attempt the same operation again, a new ttcgi.exe process will
    be created, and so on and so  on...   Needless to say that  if one
    decided to create a simple script creating a few thousand requests
    like this, he  would be able  to exhaust the  resources of the  NT
    server in a few seconds and very likely crash it.

    At this point, if you disconnect the telnet session, the TestTrack
    server  jumps  to  100%  and  remains  there.   All  the ttcgi.exe
    processes on  the WEB  server are  still there.   It's only  after
    killing the TestTrack  server that they  finally go away.   But in
    some cases during tests, one may be able to cause the ttcgi.exe to
    be pegged at  100%.  Since  this process will  be spawned by  IIS,
    and running as system,  one could not kill  it.  You can  not stop
    IIS either,  leaving you  only with  the option  to reboot NT (the
    same  problem   if  you   had  executed   TestTrackWeb.exe   under
    ServerAny).

    Finally,  under  the  \scripts  directory,  you  will  notice that
    ttcgi.exe creates a log file  by default.  This log  file contains
    all  the  commands  issued  from  ttcgi.exe  to  TestTrackWEB.exe,
    including clear text login  information!  See for  yourself below.
    This is the same problem as the clear text user IDs and  passwords
    in the project files.

        Command=Login&database=&uname=fabienr&pword=qwert123456&startat=Defects&submit=Login
        command=RecordList&cookie=0022e88b&from=1&table=user
        Command=UserListAction&cookie=0022e88b&RecordsPerPage=20&SEL01=1&listaction_makecustomer.x=46&listaction_makecustomer.y=10

SOLUTION

    These security issues have all been addressed in version 1.2.0  of
    TestTrack Web.  A free  upgrade to version 1.2.0 is  available via
    the  web  at  www.seapine.com.   The  user  IDs  and passwords are
    encrypted in the database for added security.  The CGI program has
    been modified to  block attempts to  peg the CPU  of the TestTrack
    server  through  the  use  of  telnet.   A  log  file is no longer
    generated by the TestTrack Web application.