TAO vulnerabilities offer route to account hijack

UPDATED Security researchers have uncovered multiple cross-site scripting (XSS) vulnerabilities in TAO, an open source assessment platform.

David Haintz, a security researcher at SEC Consult Vulnerability Lab, discovered the ‘medium’ severity vulnerabilities after examining the community edition of TAO, an employee training and assessment tool.

The tool, which also comes in enterprise-grade and cloud-based versions, allows organizations to test workers for knowledge on subjects including company policy or regulatory procedure. The platform also bundles Single Sign-On (SSO) and Learning Tools Interoperability (LTI) features.

Haintz’s tests on the community edition of the platform uncovered multiple XSS bugs.

“Several pages lack input validation within the URL that is output into the action attribute of a form,” an advisory from SEC Consult explains.

“An attacker can break out of the string and add custom JavaScript events to several forms. Additionally, the error page also lacks filtering user input / output.”

For example, one XSS vulnerability arises because a TAO internal error page lacks input/output validation.

Account hijacking

Johannes Greil, principal security consultant and head of SEC Consult Vulnerability Lab, told The Daily Swig that the vulnerabilities created a mechanism for account hijacking.

“We identified various cross site scripting issues and some of them are also exploitable without any prior login which increases the likelihood of a successful exploitation a bit,” Greil explained.

“An attacker could take over a victim's user account and perform unauthorized actions on behalf of this user.”

SEC Consult discovered these various vulnerabilities last September when it first attempted to report the issue to TAO. After repeated unsuccessful attempts to engage with the vendor, SEC Consult went public with its findings on April 7.

TAO subsequently got in touch to tell SEC Consult that enterprise users were already protected from the vulnerability while a fix for the community edition is in the works.

Greil explained: “The vendor replied again and they were able to reproduce the issues but also confirmed that a current version in their Github (‘3.4.0-sprint117’) is not affected anymore. Hence a patch is available now.

“They are also planning a release version 3.4.0 in the near future – in the meantime they said users should use the GitHub version. They also told me that Enterprise edition users are not affected as they are already on newer versions,” he added.

In response to queries from The Daily Swig, TAO confirmed that the flaws affected only the community edition of its software, which it plans to update shortly. Users of the enterprise versions of its product were never at risk.

“The TAO QA team has confirmed that these security findings had already been resolved in the recent versions of TAO, available through OAT GitHub and used by OAT customers on Premium and Enterprise Editions,” the firm said in a statement.

“After being provided the exploit details, the QA team was not able to reproduce these issues on any recent TAO versions. We release new versions of TAO regularly, after every (two week) sprint, but only periodically release a new packaged version of the Community Edition for download from the TAO website.

“However, the most recent version is always available on Github. We were just in the process of preparing a new 3.4 Community Edition package release, which was delayed due to recent global events. We intend to complete this release for our website shortly,” it added.


This story has been updated to include comments from TAO, the supplier of the assessment platform.

RELATED Micronaut CRLF injection bug opened the door to server-side request forgery