Multiple XSS Vulnerabilities In Tao Open Source Assessment Platform

Title

Multiple XSS vulnerabilities

Product

TAO Open Source Assessment Platform

Vulnerable Version

<= 3.3.0 RC2

Fixed Version

3.4.0-sprint117

CVE Number

-

Impact

medium

Found

16.09.2019

By

David Haintz | SEC Consult Vulnerability Lab

XSS vulnerabilities allow an attacker to perform unauthorized actions on behalf of another user. In addition, access information and other sensitive information can be intercepted directly.

Vendor Description

“The Next Generation Open Source Assessment Solution – Say goodbye to technical complexity and yet another IT project. Say hello to an all-in-one assessment solution. Easily tap into the power of open source, single sign-on and LTI. Open source means open possibilities so you can benefit from the ideas of the expert assessment community.

Source: https://www.taotesting.com/product/

Business Recommendation

The vendor did not respond to our communication attempts, hence no patch is available.

Update 2020-04-08: The vendor responded that a newer version is available through Github which fixes the security issues which should be installed immediately. Enterprise edition users are not affected as they already are on newer versions.

An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.

Vulnerability Overview / Description

Multiple XSS vulnerabilities

Several pages lack input validation within the URL that is output into the action attribute of a form. An attacker can break out of the string and add custom JavaScript events to several forms. Additionally, the error page also lacks filtering user input / output.

Proof Of Concept

1) XSS in URL for form action attributes

If a victim accesses the following link and enters their credentials, an alert shows the entered password:

$IP/tao/Main/login/'onsubmit='alert(document.getElementById(String.fromCharCode(112)+String.fromCharCode(97)+String.fromCharCode(115)+String.fromCharCode(115)+String.fromCharCode(119)+String.fromCharCode(111)+String.fromCharCode(114)+String.fromCharCode(100)).value)

Since chars like ” or < and > are filtered in this case, a string had to be built by using char codes and JavaScript’s String.fromCharCode(). The same pattern works for many other paths too. Following additional paths were also found to be
vulnerable:

  • /taoBackOffice/Lists/index/ (GET)
  • /taoItems/Items/editItem/ (POST)
  • /taoResultServer/ResultServerMgt/editResultServer/ (POST)
  • /taoTests/Tests/editTest/ (POST)
  • /taoTestTaker/TestTaker/editSubject/ (POST)

2) XSS in error page

The internal error page also lacks input/output validation. The following URL generates a website opening a message box showing the current location without any filtering:

$IP/tao/Main/index;

Vulnerable / Tested Versions

The following version has been tested, which was the most recent one at the time
of the test:

  • 3.3.0 RC2

Vendor Contact Timeline

2019-09-17 Contacting vendor through https://www.taotesting.com/contact-us/
2019-10-08 Contacting vendor again through https://www.taotesting.com/contact-us/
2020-03-19 Checked whether newer version exists; contacting vendor again through contact form and support contact email address. Got sales auto-response which automatically booked an online meeting with a “Business Development” person. Also automatically got added to a newsletter which we did not agree in the contact form. Contacted “Business Development” person via email directly. No response.
2020-03-20 Sent email again, asking for security contact.
2020-03-23 Sent email again to sales@taotesting.com and “Business Development” person; no response.
2020-04-07 Release of security advisory
2020-04-07 Vendor gets in contact with us
2020-04-08 Sending security advisory with proof of concept
2020-04-08 Vendor confirms the issue and sends information of fixed version

Solution

The vendor did not respond to our communication attempts, hence no patch is available.

Update 2020-04-08:
According to the vendor, the version 3.4.0-sprint117 is not affected by the security issues. A new release version 3.4.0 CE is planned for the near future, until then the more recent version can be downloaded from their GitHub page. The Enterprise edition clients are not affected as they are already on newer versions.

Workaround

None.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF David Haintz, Johannes Greil / @2020