| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jan 2016 19:13:27 -0500 (EST) From: "lists@...onioherraizs.com lists@...onioherraizs.com" <lists@...onioherraizs.com> To: fulldisclosure <fulldisclosure@...lists.org> Subject: [FD] Correct answer Information Disclosure in TCExam <= 12.2.5 --------------------------------------------------------- Correct answer Information Disclosure in TCExam <= 12.2.5 --------------------------------------------------------- [-] Software Link: http://www.tcexam.org/ [-] Vendor description: TCExam is a Open Source system for electronic exams (also know as CBA – Computer-Based Assessment, CBT – Computer-Based Testing or e-exam) that enables educators and trainers to author, schedule, deliver, and report on quizzes, tests and exams. TCExam is currently the most commonly used Open Source CBA Software in the world. TCExam users includes important universities, schools, public and private companies. [-] Affected Versions: Version 12.2.5 and prior versions. [-] Vulnerability Description: An instance of information disclosure on TCExam allows test takers to predict the right answer to questions as long as the right answer was inserted first during test creation time, which is the suggested way to create tests in the software guide. This vulnerability can lead to fraudulent test results. The vulnerability exists because even though answers are placed randomly on the test page, the "<input>" element for each multiple-choice answer has an "id" attribute with a numeric value indicating in which position the answer was created. Therefore the lowest "id" will always be the right answer, as long as the right answer was added to the question first during test creation time. [-] Proof of Concept: HTML block showing how the right answer contains the lowest value for the "id" attribute in the "<input>" element, in this case "answerid_9". ------------8<------------ Question: what's 2+2? <ol class="answer"> <li><input name="answerid" id="answerid_11" value="11" type="radio"> <label for="answerid_11">Incorrect answer 2</label></li> <li><input name="answerid" id="answerid_12" value="12" type="radio"> <label for="answerid_12">Incorrect answer 3</label></li> <li><input name="answerid" id="answerid_10" value="10" type="radio"> <label for="answerid_10">Incorrect answer 1</label></li> <li><input name="answerid" id="answerid_9" value="9" type="radio"> <label for="answerid_9">Four</label></li> </ol> ------------>8------------ [-] Solution: Vendor applied fix and released version 13.0.0 with https://github.com/tecnickcom/tcexam/commit/8caf06e61a1f1f94850b5fd546a43baed85a3417 [-] Disclosure Timeline: [12/11/2015] - Vendor notified [12/12/2015] - Vendor applied fix [01/15/2016] - Public disclosure [-] Credits: Antonio Herraiz (@antonioherraizs). [-] Other References: https://www.antonioherraizs.com/correct-answer-information-disclosure-in-tcexam.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists