SEC Consult Vulnerability Lab Security Advisory < 20200407-0 > ======================================================================= title: Multiple XSS vulnerabilities product: TAO Open Source Assessment Platform vulnerable version: 3.3.0 RC2 fixed version: - CVE number: - impact: medium homepage: https://www.taotesting.com/product/community/ found: 2019-09-16 by: David Haintz SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The Next Generation Open Source Assessment Solution - Say goodbye to technical complexity and yet another IT project. Say hello to an all-in-one assessment solution. Easily tap into the power of open source, single sign-on and LTI. Open source means open possibilities so you can benefit from the ideas of the expert assessment community." Source: https://www.taotesting.com/product/ Business recommendation: ------------------------ The vendor did not respond to our communication attempts, hence no patch is available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1) Multiple XSS vulnerabilities Several pages lack input validation within the URL that is output into the action attribute of a form. An attacker can break out of the string and add custom JavaScript events to several forms. Additionally, the error page also lacks filtering user input / output. Proof of concept: ----------------- 1) Multiple XSS vulnerabilities a) XSS in URL for form action attributes If a victim accesses the following link and enters their credentials, an alert shows the entered password: [ removed PoC from advisory ] Since chars like " or < and > are filtered in this case, a string had to be built by using char codes and JavaScript's String.fromCharCode(). The same pattern works for many other paths too. Following additional paths were also found to be vulnerable: [ removed PoC from advisory ] b) XSS in error page The internal error page also lacks input/output validation. The following URL generates a website opening a message box showing the current location without any filtering: [ removed PoC from advisory ] Vulnerable / tested versions: ----------------------------- The following version has been tested, which was the most recent one at the time of the test: * 3.3.0 RC2 Vendor contact timeline: ------------------------ 2019-09-17: Contacting vendor through https://www.taotesting.com/contact-us/ 2019-10-08: Contacting vendor again through https://www.taotesting.com/contact-us/ 2020-03-19: Checked whether newer version exists; contacting vendor again through contact form and support contact email address. Got sales auto-response which automatically booked an online meeting with a "Business Development" person. Also automatically got added to a newsletter which we did not agree in the contact form. Contacted "Business Development" person via email directly. No response. 2020-03-20: Sent email again, asking for security contact 2020-03-23: Sent email again to sales@taotesting.com and "Business Development" person; no response 2020-04-07: Release of security advisory Solution: --------- The vendor did not respond to our communication attempts, hence no patch is available. Workaround: ----------- Don't use the product or implement additional measures such as a WAF until the vendor fixes the security issues. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF @D. Haintz, J. Greil / 2020