TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities

Title: TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5025
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 13.07.2011
Summary
TCExam is a FLOSS system for electronic exams (also know as CBA - Computer-Based Assessment, CBT - Computer-Based Testing or e-exam) that enables educators and trainers to author, schedule, deliver, and report on quizzes, tests and exams.
Description
TCExam suffers from multiple pre and post auth XSS vulnerabilities when parsing user input to multiple parameters via GET and POST method in multiple scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.
Vendor
Tecnick.com s.r.l. - http://www.tcexam.org
Affected Version
11.2.009, 11.2.010 and 11.2.011
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[09.07.2011] Vulnerability discovered.
[10.07.2011] Initial contact with the vendor.
[11.07.2011] Vendor responds asking more details.
[11.07.2011] Sent details to vendor.
[12.07.2011] Vendor confirms the issues.
[12.07.2011] Working with the vendor.
[13.07.2011] Vendor releases version 11.2.012 to address these issues.
[13.07.2011] Coordinated public security advisory released.
PoC
tcexam_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Dr. Nicola Asuni
References
[1] http://sourceforge.net/projects/tcexam/files/tcexam_11_2_012.zip
[2] http://sourceforge.net/projects/tcexam/files/CHANGELOG.TXT
[3] http://packetstormsecurity.org/files/103035
[4] http://securityreason.com/wlb_show/WLB-2011070042
[5] http://secunia.com/advisories/45225/
[6] http://www.securityfocus.com/bid/48669
[7] http://osvdb.org/show/osvdb/73810
[8] http://osvdb.org/show/osvdb/73811
[9] http://osvdb.org/show/osvdb/73812
[10] http://osvdb.org/show/osvdb/73813
[11] http://osvdb.org/show/osvdb/73814
[12] http://osvdb.org/show/osvdb/73815
[13] http://osvdb.org/show/osvdb/73816
[14] http://osvdb.org/show/osvdb/73817
[15] http://osvdb.org/show/osvdb/73818
[16] http://osvdb.org/show/osvdb/73819
[17] http://osvdb.org/show/osvdb/73820
[18] http://osvdb.org/show/osvdb/73821
[19] http://osvdb.org/show/osvdb/73822
[20] http://osvdb.org/show/osvdb/73823
[21] http://osvdb.org/show/osvdb/73824
[22] http://xforce.iss.net/xforce/xfdb/68551
Changelog
[13.07.2011] - Initial release
[14.07.2011] - Added reference [3], [4], [5] and [6]
[16.07.2011] - Added reference [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20] and [21]
[19.07.2011] - Added reference [22]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk