Persistent cross site scripting and file upload attacks possible in course management

[spchal]

Persistent cross site scripting and file upload attacks possible in course management

Course management is lacking input validation in many places that allows stored XSS attacks and malicious file upload.
Following are the vulnerable regions:

1. Create course:
   The course name is not validated that allows to inject a javascript query into the name field.
   Steps to reproduce:

• Instructor A creates a course with a script in course name as follows: <script>alert('CourseAlert');</script>
• Another script in banner. <script>alert('BannerAlert');</script>
• Login as admin.
• When you click on courses, the ‘CourseAlert’ pops up.
• Every time the course profile is checked by the student, the ‘BannerAlert’ also pops up.
  Severity is high as admin could be attacked with a malicious script.

2. File Upload in course
   There are illegal file extensions mentioned where all the executable files are checked. But a file without any extension is accepted. This could be a binary executable file.
   Filename - It is possible to mount a javascript into this variable. Filename is not validated.
   File content - An attacker can write a malicious script into the file content and upload.

Steps to reproduce:

• Instructor A goes to his course and then go to file storage.
• Clicks on create a new file.
• The file name is given as : <script>alert('File1');</script>
• The file content is given as <script>alert('Filecontent');</script>
• Now a student/Admin logs in. As soon as a page displaying file name comes, the script File1 gets popped up even without clicking on it.
• If the content is downloaded, the alert Filecontent pops up.

This is of very high severity as this allows an instructor to post a virus as a file upload. Every student gets attacked. Even the administrator while accessing the course get attacked if the attack is mounted.

Solution:
Against XSS: Input validation using htmlspecialchars()
Against file upload: Use a white list of extensions that are allowed to be uploaded rather than extensions that are not allowed (black list).

[gregrgay]

1. Create course:
   The course name is not validated that allows to inject a javascript query into the name field.
   Steps to reproduce:

Instructor A creates a course with a script in course name as follows: <script>alert('CourseAlert');</script>

SOLUTION: add strip_tags() to sanitize course title

Another script in banner. <script>alert('BannerAlert');</script>

SOLUTION: won't fix. banner should allow JS.
Login as admin.
When you click on courses, the ‘CourseAlert’ pops up.
Every time the course profile is checked by the student, the ‘BannerAlert’ also pops up. Severity is high as admin could be attacked with a malicious script.

2. File Upload in course
   There are illegal file extensions mentioned where all the executable files are checked. But a file without any extension is accepted. This could be a binary executable file.
   SOLUTION: added extention required

Filename - It is possible to mount a javascript into this variable. Filename is not validated.
File content - An attacker can write a malicious script into the file content and upload.

Steps to reproduce:

Instructor A goes to his course and then go to file storage.
Clicks on create a new file.
The file name is given as : <script>alert('File1');</script>

SOLUTION: required file extension fixes this
The file content is given as <script>alert('Filecontent');</script>
SOLUTION: won't fix this. script should be allowed in file content
Now a student/Admin logs in. As soon as a page displaying file name comes, the script File1 gets popped up even without clicking on it.
If the content is downloaded, the alert Filecontent pops up.

[gregrgay]

tracker URL
http://www.atutor.ca/atutor/mantis/view.php?id=5608