← Advisories

TCExam <=11.2.011 Multiple SQL Injection Vulnerabilities

Medium
Advisory ID
ZSL-2011-5026
Release Date
13 July 2011
Vendor
Tecnick.com s.r.l. - http://www.tcexam.org
Affected Version
11.2.009, 11.2.010 and 11.2.011
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

TCExam is a FLOSS system for electronic exams (also know as CBA - Computer-Based Assessment, CBT - Computer-Based Testing or e-exam) that enables educators and trainers to author, schedule, deliver, and report on quizzes, tests and exams.

Description

Input passed via multiple parameters to multiple scripts is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept
tcexam_sqli.txtTXT
Disclosure Timeline
09.07.2011Vulnerability discovered.
10.07.2011Initial contact with the vendor.
11.07.2011Vendor responds asking more details.
11.07.2011Sent details to vendor.
12.07.2011Vendor confirms the issues.
12.07.2011Working with the vendor.
13.07.2011Vendor releases version 11.2.012 to address these issues.
13.07.2011Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Dr. Nicola Asuni
References
[1]http://sourceforge.net/projects/tcexam/files/tcexam_11_2_012.zip
[2]http://sourceforge.net/projects/tcexam/files/CHANGELOG.TXT
[3]http://www.exploit-db.com/exploits/17529/
[4]http://packetstormsecurity.org/files/103040
[5]http://securityreason.com/wlb_show/WLB-2011070041
[6]http://www.securityfocus.com/bid/48670
[7]http://xforce.iss.net/xforce/xfdb/68549
Changelog
13.07.2011Initial release
14.07.2011Added reference [4], [5] and [6]
19.07.2011Added reference [7]