Correct Answer Information Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20160810-1 >


title: Correct Answer Information Disclosure

product: ARI Soft ARI Quiz

vulnerable version: <= 3.8.4

fixed version: 3.9.2 (not tested)

CVE number: -

impact: low


found: 2016-07-27

by: M. Heinzl (Office Singapore)

SEC Consult Vulnerability Lab


An integrated part of SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich




Vendor description:


"ARI Soft is a team of professionals that are mostly targeted at web

development. Our team wants to combine the power of open source content

management system Joomla! with highly customizable commercial components and

modules of great quality."


"ARI Quiz is a powerful Joomla! quiz component which provides ability to

create various tests to evaluate respondent's level of knowledge. It can help

organizing quizzes on your Joomla! site. It contains many settings and can be

configured for your needs. You can successfully use it both for creating big

quiz system on your Joomla site or simple quiz with several questions on your





Business recommendation:


SEC Consult recommends not to use this product until a thorough security

review has been performed by security professionals and all identified issues

have been resolved.


Please note that since SEC Consult did not conduct a thorough technical

security check SEC Consult cannot make a statement regarding the overall

security of the software product.



Vulnerability overview/description:


1. Information Disclosure

When an exam question is sent from the server to the client, the server's

response marks the correct answer within its response through the attribute

"hidCorrect":"true". Wrong answers are marked with "hidCorrect":null.

Exploiting this vulnerability can lead to fraudulent test results.



Proof of concept:


1. Information Disclosure


HTTP Response:

HTTP Response:
HTTP/1.1 200 OK

{"pageId":"10","pageNumber":"0","description":"","questions":[{"hasCorrectAnswer":true,"questionData":{"data":[{"tbxAnswer":"<img src=\"\/images\/1.jpg\">","hidQueId":"492fd1a68a6114.25749641","hidCorrect":"true"},{"tbxAnswer":"<img src=\"\/images\/2.jpg\">","hidQueId":"492fd1a68a6575.43077847","hidCorrect":null},{"tbxAnswer":"<img src=\"\/images\/3.jpg\">","hidQueId":"492fd1a68a6973.47435188","hidCorrect":null},{"tbxAnswer":"<img src=\"\/images\/4.jpg\">","hidQueId":"492fd1a68a6d98.15172714","hidCorrect":null}],"view":null},"questionId":"28","questionText":"Which of these is clubs?","questionType":"SingleQuestion","questionIndex":"0","completed":false}],"pageTime":null}



Vulnerable / tested versions:


The following version has been tested which was the most recent version

at the time of discovery:





Vendor contact timeline:


2016-07-30: Contacting vendor through requesting security


2016-07-30: Received response. Vendor asked to send advisory via plaintext


2016-07-31: Sending advisory unencrypted to

2016-08-08: Asking for status update

2016-08-08: Vendor replied that the issue has been fixed in version 3.9.2

2016-08-10: Release of advisory





Upgrade to 3.9.2 or later.





No workaround available.



Advisory URL:






SEC Consult Vulnerability Lab


SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich


About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.



Interested to work with the experts of SEC Consult?

Send us your application


Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices



Mail: research at sec-consult dot com





EOF M. Heinzl / @2016