Correct Answer Information Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20160810-1 >

=======================================================================

title: Correct Answer Information Disclosure

product: ARI Soft ARI Quiz

vulnerable version: <= 3.8.4

fixed version: 3.9.2 (not tested)

CVE number: -

impact: low

homepage: www.ari-soft.com

found: 2016-07-27

by: M. Heinzl (Office Singapore)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"ARI Soft is a team of professionals that are mostly targeted at web

development. Our team wants to combine the power of open source content

management system Joomla! with highly customizable commercial components and

modules of great quality."

 

"ARI Quiz is a powerful Joomla! quiz component which provides ability to

create various tests to evaluate respondent's level of knowledge. It can help

organizing quizzes on your Joomla! site. It contains many settings and can be

configured for your needs. You can successfully use it both for creating big

quiz system on your Joomla site or simple quiz with several questions on your

site."

Source:

www.ari-soft.com/about_us.html

www.ari-soft.com/Joomla-Components/ARI-Quiz/Detailed-product-flyer.html

 

 

Business recommendation:

------------------------

SEC Consult recommends not to use this product until a thorough security

review has been performed by security professionals and all identified issues

have been resolved.

 

Please note that since SEC Consult did not conduct a thorough technical

security check SEC Consult cannot make a statement regarding the overall

security of the software product.

 

 

Vulnerability overview/description:

-----------------------------------

1. Information Disclosure

When an exam question is sent from the server to the client, the server's

response marks the correct answer within its response through the attribute

"hidCorrect":"true". Wrong answers are marked with "hidCorrect":null.

Exploiting this vulnerability can lead to fraudulent test results.

 

 

Proof of concept:

-----------------

1. Information Disclosure

 

HTTP Response:

HTTP Response:
HTTP/1.1 200 OK
[...]

{"pageId":"10","pageNumber":"0","description":"","questions":[{"hasCorrectAnswer":true,"questionData":{"data":[{"tbxAnswer":"<img src=\"\/images\/1.jpg\">","hidQueId":"492fd1a68a6114.25749641","hidCorrect":"true"},{"tbxAnswer":"<img src=\"\/images\/2.jpg\">","hidQueId":"492fd1a68a6575.43077847","hidCorrect":null},{"tbxAnswer":"<img src=\"\/images\/3.jpg\">","hidQueId":"492fd1a68a6973.47435188","hidCorrect":null},{"tbxAnswer":"<img src=\"\/images\/4.jpg\">","hidQueId":"492fd1a68a6d98.15172714","hidCorrect":null}],"view":null},"questionId":"28","questionText":"Which of these is clubs?","questionType":"SingleQuestion","questionIndex":"0","completed":false}],"pageTime":null}

 

 

Vulnerable / tested versions:

-----------------------------

The following version has been tested which was the most recent version

at the time of discovery:

 

v3.8.4

 

 

Vendor contact timeline:

------------------------

2016-07-30: Contacting vendor through info@ari-soft.com requesting security

contact

2016-07-30: Received response. Vendor asked to send advisory via plaintext

communication

2016-07-31: Sending advisory unencrypted to info@ari-soft.com

2016-08-08: Asking for status update

2016-08-08: Vendor replied that the issue has been fixed in version 3.9.2

2016-08-10: Release of advisory

 

 

Solution:

---------

Upgrade to 3.9.2 or later.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF M. Heinzl / @2016