Testing system told to buck up its act

UPDATED Security researchers have uncovered multiple vulnerabilities in TCExam, a popular open source online testing system.

If successfully exploited, an unauthenticated, remote attacker could gain administrative access to the organization’s computer-based assessment – or ‘e-exam’ – system.

This, in turn, would open to door to all manner of exploits including allowing a student (or other malicious actor) to view or change the grades of other students, up to and including the possibility of changing admin login details.

The flaws were uncovered by security researchers at Tenable who disclosed their findings to TCExam, which has resolved the problems with the latest version of its software.

Dusting off the old school books

Translated into over 26 different languages, TCExam is a widely used e-learning system that allows educators to create exams for students and deliver them remotely – a form of technology that has become incredibly important as a means to continue the education of youngsters during the ongoing coronavirus pandemic.

The increased importance of remote learning during the current, ongoing health emergency prompted Tenable’s Nick Manfredi to examine the then latest version of TCExam’s software, 14.2.2.

INSIGHT Coronavirus: How to work from home securely during a period of isolation

Manfredi’s subsequent examinations uncovered multiple vulnerabilities in the technology that compromise the confidentiality, integrity, and availability of the testing system.

For example, he discovered no less than six stored cross-site scripting (XSS) vulnerabilities, which arose because of a failure to sanitize user-submitted inputs.

An Insecure Direct Object Reference, meanwhile, meant authenticated student users are able to view metadata of tests which they don’t have permission to take.

Admin access

Using Burp Suite, Manfredi was also able to find separate authenticated directory traversal and arbitrary file read vulnerabilities. The flaw created a mechanism for attackers to access password data.

To cap it all, TCExam offered no protection against cross-site request forgery (CSRF) attacks.

“By tricking a legitimate user into clicking a malicious link in a browser with an active TCExam session, unauthenticated, remote attackers were able to fire off valid application requests in order to, for instance, change the admin’s own password and gain administrative access to the TCExam platform,” Manfredi writes.

This CSRF issue might have been combined with the XSS problems to brew even more potent attacks that created a mechanism to change admin passwords.

Tenable notified TCExam of these vulnerabilities on May 6. The vendor responded with the release of patched versions of its (TCExam version 14.2.3) around a month later.

Researchers at Tenable public with their findings through a blog post and detailed technical advisory.

In response to questions from The Daily Swig, Tenable said its team haven't yet researched other online learning platforms, so the firm was therefore unable to offer any comparative security opinion on TCExam.

TCExam offers a general testing platform that administrators can use it to create any kind of exam. The platform could therefore be used for any subject matter and any age group that can take an exam.

The Daily Swig invited TCExam to comment on the vulnerabilities.

This story has been updated to add comment from Tenable.

READ MORE Flaw in property inventory website exposed thousands of users’ home contents