You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Persistent cross site scripting and file upload attacks possible in course management
Course management is lacking input validation in many places that allows stored XSS attacks and malicious file upload.
Following are the vulnerable regions:
Create course:
The course name is not validated that allows to inject a javascript query into the name field.
Steps to reproduce:
Instructor A creates a course with a script in course name as follows: <script>alert('CourseAlert');</script>
Another script in banner. <script>alert('BannerAlert');</script>
Login as admin.
When you click on courses, the ‘CourseAlert’ pops up.
Every time the course profile is checked by the student, the ‘BannerAlert’ also pops up.
Severity is high as admin could be attacked with a malicious script.
File Upload in course
There are illegal file extensions mentioned where all the executable files are checked. But a file without any extension is accepted. This could be a binary executable file.
Filename - It is possible to mount a javascript into this variable. Filename is not validated.
File content - An attacker can write a malicious script into the file content and upload.
Steps to reproduce:
Instructor A goes to his course and then go to file storage.
Clicks on create a new file.
The file name is given as : <script>alert('File1');</script>
The file content is given as <script>alert('Filecontent');</script>
Now a student/Admin logs in. As soon as a page displaying file name comes, the script File1 gets popped up even without clicking on it.
If the content is downloaded, the alert Filecontent pops up.
This is of very high severity as this allows an instructor to post a virus as a file upload. Every student gets attacked. Even the administrator while accessing the course get attacked if the attack is mounted.
Solution:
Against XSS: Input validation using htmlspecialchars()
Against file upload: Use a white list of extensions that are allowed to be uploaded rather than extensions that are not allowed (black list).
The text was updated successfully, but these errors were encountered:
Create course:
The course name is not validated that allows to inject a javascript query into the name field.
Steps to reproduce:
Instructor A creates a course with a script in course name as follows: <script>alert('CourseAlert');</script>
SOLUTION: add strip_tags() to sanitize course title
Another script in banner. <script>alert('BannerAlert');</script>
SOLUTION: won't fix. banner should allow JS.
Login as admin.
When you click on courses, the ‘CourseAlert’ pops up.
Every time the course profile is checked by the student, the ‘BannerAlert’ also pops up. Severity is high as admin could be attacked with a malicious script.
File Upload in course
There are illegal file extensions mentioned where all the executable files are checked. But a file without any extension is accepted. This could be a binary executable file.
SOLUTION: added extention required
Filename - It is possible to mount a javascript into this variable. Filename is not validated.
File content - An attacker can write a malicious script into the file content and upload.
Steps to reproduce:
Instructor A goes to his course and then go to file storage.
Clicks on create a new file.
The file name is given as : <script>alert('File1');</script>
SOLUTION: required file extension fixes this
The file content is given as <script>alert('Filecontent');</script>
SOLUTION: won't fix this. script should be allowed in file content
Now a student/Admin logs in. As soon as a page displaying file name comes, the script File1 gets popped up even without clicking on it.
If the content is downloaded, the alert Filecontent pops up.
Persistent cross site scripting and file upload attacks possible in course management
Course management is lacking input validation in many places that allows stored XSS attacks and malicious file upload.
Following are the vulnerable regions:
The course name is not validated that allows to inject a javascript query into the name field.
Steps to reproduce:
<script>alert('CourseAlert');</script>
<script>alert('BannerAlert');</script>
Severity is high as admin could be attacked with a malicious script.
There are illegal file extensions mentioned where all the executable files are checked. But a file without any extension is accepted. This could be a binary executable file.
Filename - It is possible to mount a javascript into this variable. Filename is not validated.
File content - An attacker can write a malicious script into the file content and upload.
Steps to reproduce:
<script>alert('File1');</script>
<script>alert('Filecontent');</script>
File1
gets popped up even without clicking on it.Filecontent
pops up.This is of very high severity as this allows an instructor to post a virus as a file upload. Every student gets attacked. Even the administrator while accessing the course get attacked if the attack is mounted.
Solution:
Against XSS: Input validation using
htmlspecialchars()
Against file upload: Use a white list of extensions that are allowed to be uploaded rather than extensions that are not allowed (black list).
The text was updated successfully, but these errors were encountered: