Multiple XSS vulnerabilities in TAO Open Source Assessment Platform

Project Description

XSS vulnerabilities allow an attacker to perform unauthorized actions on behalf of another user. In addition, access information and other sensitive information can be intercepted directly.


Vendor description

“The Next Generation Open Source Assessment Solution – Say goodbye to technical complexity and yet another IT project. Say hello to an all-in-one assessment solution. Easily tap into the power of open source, single sign-on and LTI. Open source means open possibilities so you can benefit from the ideas of the expert assessment community.

Source: https://www.taotesting.com/product/

Business recommendation

The vendor did not respond to our communication attempts, hence no patch is available.

Update 2020-04-08: The vendor responded that a newer version is available through Github which fixes the security issues which should be installed immediately. Enterprise edition users are not affected as they already are on newer versions.

An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.

Vulnerability overview/description

Multiple XSS vulnerabilities

Several pages lack input validation within the URL that is output into the action attribute of a form. An attacker can break out of the string and add custom JavaScript events to several forms. Additionally, the error page also lacks filtering user input / output.

Proof of concept

1) XSS in URL for form action attributes

If a victim accesses the following link and enters their credentials, an alert shows the entered password:

http://$IP/tao/Main/login/'onsubmit='alert(document.getElementById(String.fromCharCode(112)+String.fromCharCode(97)+String.fromCharCode(115)+String.fromCharCode(115)+String.fromCharCode(119)+String.fromCharCode(111)+String.fromCharCode(114)+String.fromCharCode(100)).value)

Since chars like ” or < and > are filtered in this case, a string had to be built
by using char codes and JavaScript’s String.fromCharCode(). The same pattern
works for many other paths too. Following additional paths were also found to be
vulnerable:

- /taoBackOffice/Lists/index/ (GET) 
- /taoItems/Items/editItem/ (POST)
- /taoResultServer/ResultServerMgt/editResultServer/ (POST)
- /taoTests/Tests/editTest/ (POST)
- /taoTestTaker/TestTaker/editSubject/ (POST)

2) XSS in error page

The internal error page also lacks input/output validation. The following URL
generates a website opening a message box showing the current location without
any filtering:

http://$IP/tao/Main/index?structure=user_settings&ext=<script>alert(document.location)</script>

Vulnerable / tested versions

The following version has been tested, which was the most recent one at the time
of the test:

  • 3.3.0 RC2

Vendor contact timeline

2019-09-17Contacting vendor through https://www.taotesting.com/contact-us/
2019-10-08Contacting vendor again through https://www.taotesting.com/contact-us/
2020-03-19Checked whether newer version exists; contacting vendor again through contact form and support contact email address. Got sales auto-response which automatically booked an online meeting with a “Business Development” person. Also automatically got added to a newsletter which we did not agree in the contact form. Contacted “Business Development” person via email directly. No response.
2020-03-20Sent email again, asking for security contact.
2020-03-23Sent email again to sales@taotesting.com and “Business Development” person; no response.
2020-04-07Release of security advisory
2020-04-07Vendor gets in contact with us
2020-04-08Sending security advisory with proof of concept
2020-04-08Vendor confirms the issue and sends information of fixed version

Solution

The vendor did not respond to our communication attempts, hence no patch is available.

Update 2020-04-08:
According to the vendor, the version 3.4.0-sprint117 is not affected by the security issues.
A new release version 3.4.0 CE is planned for the near future, until then the more recent
version can be downloaded from their GitHub page. The Enterprise edition clients are
not affected as they are already on newer versions.

Workaround

None.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF David Haintz, Johannes Greil / @2020

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleMultiple XSS vulnerabilities
  • ProductTAO Open Source Assessment Platform
  • Vulnerable version<= 3.3.0 RC2
  • Fixed version3.4.0-sprint117
  • CVE number-
  • ImpactMedium
  • Homepagehttps://www.taotesting.com/product/community/
  • Found2019-09-16
  • ByDavid Haintz | SEC Consult Vulnerability Lab