=======================================================================
title: Multiple XSS vulnerabilities
product: TAO Open Source Assessment Platform
vulnerable version: 3.3.0 RC2
fixed version: -
CVE number: -
impact: medium
homepage: https://www.taotesting.com/product/community/
found: 2019-09-16
by: David Haintz
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"The Next Generation Open Source Assessment Solution -
Say goodbye to technical complexity and yet another IT project. Say
hello to an
all-in-one assessment solution. Easily tap into the power of open
source, single
sign-on and LTI. Open source means open possibilities so you can
benefit from
the ideas of the expert assessment community."
Source: https://www.taotesting.com/product/
Business recommendation:
------------------------
The vendor did not respond to our communication attempts, hence no
patch is
available.
An in-depth security analysis performed by security
professionals is
highly advised, as the software may be affected from further
security
issues.
Vulnerability overview/description:
-----------------------------------
1) Multiple XSS vulnerabilities
Several pages lack input validation within the URL that is output
into the
action attribute of a form. An attacker can break out of the
string
and add custom JavaScript events to several forms. Additionally,
the error
page also lacks filtering user input / output.
Proof of concept:
-----------------
1) Multiple XSS vulnerabilities
a) XSS in URL for form action attributes
If a victim accesses the following link and enters their
credentials, an alert
shows the entered password:
[ removed PoC from advisory ]
Since chars like " or < and > are filtered in this case, a
string had to be built
by using char codes and JavaScript's String.fromCharCode(). The
same pattern
works for many other paths too. Following additional paths were
also found to be
vulnerable:
[ removed PoC from advisory ]
b) XSS in error page
The internal error page also lacks input/output validation. The
following URL
generates a website opening a message box showing the current
location without
any filtering:
[ removed PoC from advisory ]
Vulnerable / tested versions:
-----------------------------
The following version has been tested, which was the most recent
one at the time
of the test:
* 3.3.0 RC2
Vendor contact timeline:
------------------------
2019-09-17: Contacting vendor through
https://www.taotesting.com/contact-us/
2019-10-08: Contacting vendor again through
https://www.taotesting.com/contact-us/
2020-03-19: Checked whether newer version exists; contacting vendor
again through
contact form and support contact email address.
Got sales auto-response which automatically booked an online
meeting with a "Business Development" person. Also automatically
got
added to a newsletter which we did not agree in the contact
form.
Contacted "Business Development" person via email directly. No
response.
2020-03-20: Sent email again, asking for security contact
2020-03-23: Sent email again to
person; no response
2020-04-07: Release of security advisory
Solution:
---------
The vendor did not respond to our communication attempts, hence no
patch is
available.
Workaround:
-----------
Don't use the product or implement additional measures such as a
WAF until the
vendor fixes the security issues.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC
Consult. It
ensures the continued knowledge gain of SEC Consult in the field of
network
and application security to stay ahead of the attacker. The SEC
Consult
Vulnerability Lab supports high-quality penetration testing and the
evaluation
of new offensive and defensive technologies for our customers.
Hence our
customers obtain the most current information about vulnerabilities
and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application
https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of
SEC Consult?
Contact our local offices
https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF @D. Haintz, J. Greil / 2020
Read more https://packetstormsecurity.com/files/157155/SA-20200407-0.txt