SEC Consult Vulnerability Lab Security Advisory < 20160810-1 >
=======================================================================
title: Correct Answer Information Disclosure
product: ARI Soft ARI Quiz
vulnerable version: <= 3.8.4
fixed version: 3.9.2 (not tested)
CVE number: -
impact: low
homepage: www.ari-soft.com
found: 2016-07-27
by: M. Heinzl (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
=======================================================================
Vendor description:
-------------------
"ARI Soft is a team of professionals that are mostly targeted at web
development. Our team wants to combine the power of open source content
management system Joomla! with highly customizable commercial components and
modules of great quality."
"ARI Quiz is a powerful Joomla! quiz component which provides ability to
create various tests to evaluate respondent's level of knowledge. It can help
organizing quizzes on your Joomla! site. It contains many settings and can be
configured for your needs. You can successfully use it both for creating big
quiz system on your Joomla site or simple quiz with several questions on your
site."
Source:
www.ari-soft.com/about_us.html
www.ari-soft.com/Joomla-Components/ARI-Quiz/Detailed-product-flyer.html
Business recommendation:
------------------------
SEC Consult recommends not to use this product until a thorough security
review has been performed by security professionals and all identified issues
have been resolved.
Please note that since SEC Consult did not conduct a thorough technical
security check SEC Consult cannot make a statement regarding the overall
security of the software product.
Vulnerability overview/description:
-----------------------------------
1. Information Disclosure
When an exam question is sent from the server to the client, the server's
response marks the correct answer within its response through the attribute
"hidCorrect":"true". Wrong answers are marked with "hidCorrect":null.
Exploiting this vulnerability can lead to fraudulent test results.
Proof of concept:
-----------------
1. Information Disclosure
HTTP Response:
HTTP Response:
HTTP/1.1 200 OK
[...]
{"pageId":"10","pageNumber":"0","description":"","questions":[{"hasCorrectAnswer":true,"questionData":{"data":[{"tbxAnswer":"<img src=\"\/images\/1.jpg\">","hidQueId":"492fd1a68a6114.25749641","hidCorrect":"true"},{"tbxAnswer":"<img src=\"\/images\/2.jpg\">","hidQueId":"492fd1a68a6575.43077847","hidCorrect":null},{"tbxAnswer":"<img src=\"\/images\/3.jpg\">","hidQueId":"492fd1a68a6973.47435188","hidCorrect":null},{"tbxAnswer":"<img src=\"\/images\/4.jpg\">","hidQueId":"492fd1a68a6d98.15172714","hidCorrect":null}],"view":null},"questionId":"28","questionText":"Which of these is clubs?","questionType":"SingleQuestion","questionIndex":"0","completed":false}],"pageTime":null}
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the most recent version
at the time of discovery:
v3.8.4
Vendor contact timeline:
------------------------
2016-07-30: Contacting vendor through info@ari-soft.com requesting security
contact
2016-07-30: Received response. Vendor asked to send advisory via plaintext
communication
2016-07-31: Sending advisory unencrypted to info@ari-soft.com
2016-08-08: Asking for status update
2016-08-08: Vendor replied that the issue has been fixed in version 3.9.2
2016-08-10: Release of advisory
Solution:
---------
Upgrade to 3.9.2 or later.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF M. Heinzl / @2016