what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TAO Open Source Assessment Platform 3.3.0 RC2 Cross Site Scripting

TAO Open Source Assessment Platform 3.3.0 RC2 Cross Site Scripting
Posted Apr 7, 2020
Authored by David Haintz | Site sec-consult.com

TAO Open Source Assessment Platform version 3.3.0 RC2 suffers from multiple cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss
SHA-256 | 84a4363ff838ac329c2aa50639312beab5e73c9771b2a3f2ab6b835582fbe6da

TAO Open Source Assessment Platform 3.3.0 RC2 Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20200407-0 >
=======================================================================
title: Multiple XSS vulnerabilities
product: TAO Open Source Assessment Platform
vulnerable version: 3.3.0 RC2
fixed version: -
CVE number: -
impact: medium
homepage: https://www.taotesting.com/product/community/
found: 2019-09-16
by: David Haintz
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"The Next Generation Open Source Assessment Solution -
Say goodbye to technical complexity and yet another IT project. Say hello to an
all-in-one assessment solution. Easily tap into the power of open source, single
sign-on and LTI. Open source means open possibilities so you can benefit from
the ideas of the expert assessment community."

Source: https://www.taotesting.com/product/


Business recommendation:
------------------------
The vendor did not respond to our communication attempts, hence no patch is
available.

An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security
issues.


Vulnerability overview/description:
-----------------------------------
1) Multiple XSS vulnerabilities
Several pages lack input validation within the URL that is output into the
action attribute of a form. An attacker can break out of the string
and add custom JavaScript events to several forms. Additionally, the error
page also lacks filtering user input / output.


Proof of concept:
-----------------
1) Multiple XSS vulnerabilities
a) XSS in URL for form action attributes

If a victim accesses the following link and enters their credentials, an alert
shows the entered password:

[ removed PoC from advisory ]

Since chars like " or < and > are filtered in this case, a string had to be built
by using char codes and JavaScript's String.fromCharCode(). The same pattern
works for many other paths too. Following additional paths were also found to be
vulnerable:

[ removed PoC from advisory ]


b) XSS in error page
The internal error page also lacks input/output validation. The following URL
generates a website opening a message box showing the current location without
any filtering:

[ removed PoC from advisory ]


Vulnerable / tested versions:
-----------------------------
The following version has been tested, which was the most recent one at the time
of the test:

* 3.3.0 RC2


Vendor contact timeline:
------------------------
2019-09-17: Contacting vendor through https://www.taotesting.com/contact-us/
2019-10-08: Contacting vendor again through https://www.taotesting.com/contact-us/
2020-03-19: Checked whether newer version exists; contacting vendor again through
contact form and support contact email address.
Got sales auto-response which automatically booked an online
meeting with a "Business Development" person. Also automatically got
added to a newsletter which we did not agree in the contact form.
Contacted "Business Development" person via email directly. No response.
2020-03-20: Sent email again, asking for security contact
2020-03-23: Sent email again to sales@taotesting.com and "Business Development"
person; no response
2020-04-07: Release of security advisory


Solution:
---------
The vendor did not respond to our communication attempts, hence no patch is
available.


Workaround:
-----------
Don't use the product or implement additional measures such as a WAF until the
vendor fixes the security issues.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF @D. Haintz, J. Greil / 2020

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close