Multiple Vulnerabilities in TCExam
Online learning has seen an increase in activity during the coronavirus pandemic. Multiple vulnerabilities were identified in TCExam, a popular online testing system that could have allowed a remote, unauthenticated attacker to gain administrative access to the e-exam system.
Background
At the end of April, over 1.2 billion children around the globe were out of the classroom due to the coronavirus pandemic, according to the World Economic Forum. [1] Many students have seen their courses move online, necessitating tools for remote assessment: an EDUCAUSE poll conducted on April 7, 2020, found that over three-quarters of higher education institutions surveyed may move to online exams, with 54% already doing so. [2] Now, more than ever, it’s important to secure these online learning resources.
One option for educators looking to make the switch to online assessment is TCExam. TCExam is a popular open-source system for computer-based testing that has been translated into 26 different languages. The platform allows educators to create exams for students and deliver them remotely.
I was curious about the security of this platform, so I downloaded and set up the latest version of the software, 14.2.2, and discovered multiple vulnerabilities that compromise the confidentiality, integrity, and availability of the testing system.
XSS and Insecure Direct Object Reference
Some of the first bugs found were stored XSS. By submitting malicious input to the application and looking through the PHP echo statements in the codebase for places where user input was displayed without sanitization, I found 6 XSS vulnerabilities.
I realized, for example, that an unauthenticated, remote attacker could store XSS payloads in the TCExam database via the self-registration form, which is enabled by default. By exploring the functionality available to an administrator of the system, I discovered that an XSS payload in a username would be executed when the administrator updated or deleted the user, as seen below, and that payloads in the user’s first and last name were executed when an administrator went to view online users.
Additionally, I tried editing URL GET parameters on various pages. I found that authenticated student users are able to view metadata for exams that they don’t have permission to access. The following picture shows a student user viewing the metadata of an exam that is only available to members of a group of which they are not a part.
Authenticated Directory Traversal / Arbitrary File Read
I also used Burp Suite to edit the parameters of POST requests. I knew that administrators were able to download backup files, and with Burp Suite I saw that the POST parameter for the backup file was not sufficiently validated. So, I was able to grab the contents of /etc/passwd, as seen below.
CSRF
TCExam offered no protection against CSRF attacks. By tricking a legitimate user into clicking a malicious link in a browser with an active TCExam session, unauthenticated, remote attackers were able to fire off valid application requests in order to, for instance, change the admin’s own password and gain administrative access to the TCExam platform.
Chris Lyne pointed out that this can be combined with the unauthenticated XSS vulnerabilities mentioned above. By, for example, self-registering a username with a crafted HTML script tag, an attacker can cause an administrator to issue a request to a server under the control of the attacker. The attacker can then log the request headers as well as the PHPSESSID and LastVisit cookies and use these to issue a curl request that changes the admin’s password. The request headers are necessary in order to bypass a security check on the browser’s fingerprint.
Impact
If exploited, an unauthenticated, remote attacker could use these vulnerabilities to gain administrative access to TCExam. A student could exploit these vulnerabilities to, for example, view the grades of other students in their course, or to change other student’s passwords and fail their exams.
Vendor Response
Tenable notified info@tecnick.com of these vulnerabilities on May 6. They quickly acknowledged and released TCExam version 14.2.3 to address them on the same day.
