TCExam 12.2.5 Information Disclosure

`---------------------------------------------------------  
  
Correct answer Information Disclosure in TCExam <= 12.2.5  
---------------------------------------------------------  
  
[-] Software Link:  
  
http://www.tcexam.org/  
  
[-] Vendor description:  
  
TCExam is a Open Source system for electronic exams (also know as CBA –  
Computer-Based Assessment, CBT – Computer-Based Testing or e-exam) that enables  
educators and trainers to author, schedule, deliver, and report on quizzes,  
tests and exams. TCExam is currently the most commonly used Open Source CBA  
Software in the world. TCExam users includes important universities, schools,  
public and private companies.  
  
[-] Affected Versions:  
  
Version 12.2.5 and prior versions.  
  
[-] Vulnerability Description:  
  
An instance of information disclosure on TCExam allows test takers to predict  
the right answer to questions as long as the right answer was inserted first  
during test creation time, which is the suggested way to create tests in the  
software guide. This vulnerability can lead to fraudulent test results.  
  
The vulnerability exists because even though answers are placed randomly on the  
test page, the "<input>" element for each multiple-choice answer has an "id"  
attribute with a numeric value indicating in which position the answer was  
created. Therefore the lowest "id" will always be the right answer, as long as  
the right answer was added to the question first during test creation time.  
  
[-] Proof of Concept:  
  
HTML block showing how the right answer contains the lowest value for the "id"  
attribute in the "<input>" element, in this case "answerid_9".  
  
------------8<------------  
Question: what's 2+2?  
  
<ol class="answer">  
<li><input name="answerid" id="answerid_11" value="11" type="radio">&nbsp;<label  
for="answerid_11">Incorrect answer 2</label></li>  
<li><input name="answerid" id="answerid_12" value="12" type="radio">&nbsp;<label  
for="answerid_12">Incorrect answer 3</label></li>  
<li><input name="answerid" id="answerid_10" value="10" type="radio">&nbsp;<label  
for="answerid_10">Incorrect answer 1</label></li>  
<li><input name="answerid" id="answerid_9" value="9" type="radio">&nbsp;<label  
for="answerid_9">Four</label></li>  
</ol>  
------------>8------------  
  
[-] Solution:  
  
Vendor applied fix and released version 13.0.0 with  
https://github.com/tecnickcom/tcexam/commit/8caf06e61a1f1f94850b5fd546a43baed85a3417  
  
[-] Disclosure Timeline:  
  
[12/11/2015] - Vendor notified  
[12/12/2015] - Vendor applied fix  
[01/15/2016] - Public disclosure  
  
[-] Credits:  
  
Antonio Herraiz (@antonioherraizs).  
  
[-] Other References:  
  
https://www.antonioherraizs.com/correct-answer-information-disclosure-in-tcexam.html  
  
  
`