TestRail Information Disclosure (CVE-2021-40875)
Description
TestRail is a web-based test case management platform used by development teams to track software testing activities.
This vulnerability (CVE-2021-40875) allows unauthenticated attackers to access the 'files.md5' file, which contains sensitive information about the application's file structure and paths. This improper access control issue affects TestRail versions 7.2.0.3014 and earlier, exposing internal system details without requiring authentication.
Remediation
Apply the following remediation steps to address this vulnerability:
1. Upgrade TestRail to version 7.2.0.3015 or later, which includes fixes for this improper access control issue
2. Verify that the 'files.md5' file is no longer accessible without authentication by attempting to access it directly via HTTP request
3. Review web server access logs for any unauthorized access attempts to 'files.md5' or similar sensitive files
4. Implement or verify that proper authentication controls are enforced for all administrative and system files
5. Consider implementing additional security measures such as IP whitelisting for administrative interfaces if not already in place
If immediate patching is not possible, implement a temporary workaround by configuring web server rules to deny access to 'files.md5' and other sensitive system files until the upgrade can be completed.