Zero Science Lab » TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities

TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities

Title: TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5025
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 13.07.2011

Summary

TCExam is a FLOSS system for electronic exams (also know as CBA - Computer-Based Assessment, CBT - Computer-Based Testing or e-exam) that enables educators and trainers to author, schedule, deliver, and report on quizzes, tests and exams.

Description

TCExam suffers from multiple pre and post auth XSS vulnerabilities when parsing user input to multiple parameters via GET and POST method in multiple scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Vendor

Tecnick.com s.r.l. - http://www.tcexam.org

Affected Version

11.2.009, 11.2.010 and 11.2.011

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

[09.07.2011] Vulnerability discovered.
[10.07.2011] Initial contact with the vendor.
[11.07.2011] Vendor responds asking more details.
[11.07.2011] Sent details to vendor.
[12.07.2011] Vendor confirms the issues.
[12.07.2011] Working with the vendor.
[13.07.2011] Vendor releases version 11.2.012 to address these issues.
[13.07.2011] Coordinated public security advisory released.

PoC

tcexam_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Dr. Nicola Asuni

References

Changelog

[13.07.2011] - Initial release
[14.07.2011] - Added reference [3], [4], [5] and [6]
[16.07.2011] - Added reference [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20] and [21]
[19.07.2011] - Added reference [22]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk