TCExam 11.2.011 Cross Site Scripting

2011.07.14
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities Vendor: Tecnik.com s.r.l. Product web page: http://www.tcexam.org Affected version: 11.2.009, 11.2.010 and 11.2.011 Summary: TCExam is a FLOSS system for electronic exams (also know as CBA - Computer-Based Assessment, CBT - Computer-Based Testing or e-exam) that enables educators and trainers to author, schedule, deliver, and report on quizzes, tests and exams. Desc: TCExam suffers from multiple pre and post auth XSS vulnerabilities when parsing user input to multiple parameters via GET and POST method in multiple scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab High five to Dr. Nicola Asuni! Vendor status: [09.07.2011] Vulnerability discovered. [10.07.2011] Initial contact with the vendor. [11.07.2011] Vendor responds asking more details. [11.07.2011] Sent details to vendor. [12.07.2011] Vendor confirms the issues. [12.07.2011] Working with the vendor. [13.07.2011] Vendor releases version 11.2.012 to address these issues. [13.07.2011] Coordinated public security advisory released. Advisory ID: ZSL-2011-5025 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php Vendor Patch: http://sourceforge.net/projects/tcexam/files/tcexam_11_2_012.zip Vendor Changelog: http://sourceforge.net/projects/tcexam/files/CHANGELOG.TXT 09.07.2011 -- ********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) ********** 1. /admin/code/tce_colorpicker.php (frm, fld, tag) - GET 2. /admin/code/tce_edit_backup.php (backup_file) - POST 3. /admin/code/tce_edit_group.php (group_name, group_id) - POST 4. /admin/code/tce_edit_module.php (module_id, module_user_id) - POST 5. /admin/code/tce_edit_rating.php (test_id) - POST 6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) - POST 7. /admin/code/tce_edit_test.php (test_id) - POST 8. /admin/code/tce_filemanager.php (file) - POST 9. /admin/code/tce_select_mediafile.php (frm, fld, file) - GET, GET, POST 10. /admin/code/tce_select_users.php (new_group_id) - POST 11. /admin/code/tce_show_all_questions.php (subject_module_id) - POST 12. /admin/code/tce_show_result_user.php (test_id) - POST 13. /public/code/tce_user_change_email.php (xl_user_email) - POST 14. /public/code/tce_user_change_password.php (xl_newpassword) - POST 15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) - POST ********** Cross-Site Scripting URI Based (script name) ********** 1. /admin/code/index.php 2. /admin/code/tce_csv_users.php 3. /admin/code/tce_edit_answer.php 4. /admin/code/tce_edit_backup.php 5. /admin/code/tce_edit_group.php 6. /admin/code/tce_edit_module.php 7. /admin/code/tce_edit_question.php 8. /admin/code/tce_edit_rating.php 9. /admin/code/tce_edit_subject.php 10. /admin/code/tce_edit_test.php 11. /admin/code/tce_edit_user.php 12. /admin/code/tce_filemanager.php 13. /admin/code/tce_import_omr_answers.php 14. /admin/code/tce_import_xml_questions.php 15. /admin/code/tce_import_xml_users.php 16. /admin/code/tce_menu_modules.php 17. /admin/code/tce_menu_tests.php 18. /admin/code/tce_menu_users.php 19. /admin/code/tce_page_info.php 20. /admin/code/tce_select_mediafile.php 21. /admin/code/tce_select_users.php 22. /admin/code/tce_show_all_questions.php 23. /admin/code/tce_show_allresults_users.php 24. /admin/code/tce_show_online_users.php 25. /admin/code/tce_show_result_allusers.php 26. /admin/code/tce_show_result_questions.php 27. /admin/code/tce_show_result_user.php 28. /admin/code/tce_xml_users.php 29. /public/code/index.php 30. /public/code/tce_page_user.php 31. /public/code/tce_user_change_email.php 32. /public/code/tce_user_change_password.php 33. /public/code/tce_user_registration.php ********** Cross-Site Scripting in path (script name) ********** 1. /admin/code 2. /public/code ------------------------------------------------- XSS: GET http://localhost/tcexam/admin/code/{script}.php?{parameter}={value}"><script>alert(1)</script> XSS: POST http://localhost/tcexam/admin/code/{script}.php HTTP/1.0 - {parameter}={value}<script>alert(1)</script>&{parameter}={value} XSS URI: GET http://localhost/tcexam/admin/code/index.php?zsl=>"><script>alert(1)</script> XSS Path: GET http://localhost/tcexam/admin/code/?=>"'><script>alert(1)</script>

References:

http://www.tcexam.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top