Multiple Vulnerabilities in TCExam

Nick Manfredi
Jun 9, 2020 · 4 min read

Online learning has seen an increase in activity during the coronavirus pandemic. Multiple vulnerabilities were identified in TCExam, a popular online testing system that could have allowed a remote, unauthenticated attacker to gain administrative access to the e-exam system.

The self-registration form on TCExam, a popular, open source e-exam system

Background

At the end of April, over 1.2 billion children around the globe were out of the classroom due to the coronavirus pandemic, according to the World Economic Forum. [1] Many students have seen their courses move online, necessitating tools for remote assessment: an EDUCAUSE poll conducted on April 7, 2020, found that over three-quarters of higher education institutions surveyed may move to online exams, with 54% already doing so. [2] Now, more than ever, it’s important to secure these online learning resources.

One option for educators looking to make the switch to online assessment is TCExam. TCExam is a popular open-source system for computer-based testing that has been translated into 26 different languages. The platform allows educators to create exams for students and deliver them remotely.

I was curious about the security of this platform, so I downloaded and set up the latest version of the software, 14.2.2, and discovered multiple vulnerabilities that compromise the confidentiality, integrity, and availability of the testing system.

XSS and Insecure Direct Object Reference

Some of the first bugs found were stored XSS. By submitting malicious input to the application and looking through the PHP echo statements in the codebase for places where user input was displayed without sanitization, I found 6 XSS vulnerabilities.

I realized, for example, that an unauthenticated, remote attacker could store XSS payloads in the TCExam database via the self-registration form, which is enabled by default. By exploring the functionality available to an administrator of the system, I discovered that an XSS payload in a username would be executed when the administrator updated or deleted the user, as seen below, and that payloads in the user’s first and last name were executed when an administrator went to view online users.

An XSS payload stored in a username will fire when an administrator updates or deletes that user.

Additionally, I tried editing URL GET parameters on various pages. I found that authenticated student users are able to view metadata for exams that they don’t have permission to access. The following picture shows a student user viewing the metadata of an exam that is only available to members of a group of which they are not a part.

A student user can view the metadata of tests which they don’t have permission to take.

Authenticated Directory Traversal / Arbitrary File Read

I also used Burp Suite to edit the parameters of POST requests. I knew that administrators were able to download backup files, and with Burp Suite I saw that the POST parameter for the backup file was not sufficiently validated. So, I was able to grab the contents of /etc/passwd, as seen below.

Editing a post parameter can expose the contents of the server’s /etc/passwd

CSRF

TCExam offered no protection against CSRF attacks. By tricking a legitimate user into clicking a malicious link in a browser with an active TCExam session, unauthenticated, remote attackers were able to fire off valid application requests in order to, for instance, change the admin’s own password and gain administrative access to the TCExam platform.

Chris Lyne pointed out that this can be combined with the unauthenticated XSS vulnerabilities mentioned above. By, for example, self-registering a username with a crafted HTML script tag, an attacker can cause an administrator to issue a request to a server under the control of the attacker. The attacker can then log the request headers as well as the PHPSESSID and LastVisit cookies and use these to issue a curl request that changes the admin’s password. The request headers are necessary in order to bypass a security check on the browser’s fingerprint.

Impact

If exploited, an unauthenticated, remote attacker could use these vulnerabilities to gain administrative access to TCExam. A student could exploit these vulnerabilities to, for example, view the grades of other students in their course, or to change other student’s passwords and fail their exams.

Vendor Response

Tenable notified info@tecnick.com of these vulnerabilities on May 6. They quickly acknowledged and released TCExam version 14.2.3 to address them on the same day.

Get more information

Tenable TechBlog

Learn how Tenable finds new vulnerabilities and writes the…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store