TL;DR
SureCloud identified a stored cross-site scripting vulnerability (XSS) within the Open edX platform < Lilac release-2021-08-02-19.11
; a Learning Management System (LMS) used in many large organizations including Microsoft, IBM and several universities.
JavaScript access to the main session token was restricted preventing trivial session hijack. However, account hijack was still possible by leveraging the XSS vulnerability to change the email address associated with an account with an attacker-controlled address and issuing a password reset request.
The following article aims to provide a technical overview of the identified vulnerability.
Test Environment
Open edX is an open-source project that is available on GitHub (https://github.com/edx/edx-platform). For testing purposes the docker-based Open edX distribution, Tutor (https://docs.tutor.overhang.io/) was used to deploy a local instance of the latest Lilac release.
CVE-2021-39248 – Authenticated Stored XSS via LaTeX Injection
The Open edX platform was observed to render LaTeX content within discussion posts from an authenticated perspective. Leveraging LaTeX injection, it was possible to achieve stored XSS in the form of a malicious JavaScript URL that could be embedded into a discussion post. If a user viewed and clicked on the URL, the stored JavaScript would be executed in the context of their session.
The following payload that would cause a popup box if executed was used to detect and validate the presence of this vulnerability:
$\href{javascript:alert(2)}{XSS}$
This vulnerability was assigned a CVSSv3 score of 6.1, based on vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Demonstrating Impact – Account Hijack
To demonstrate the impact of XSS and the importance of fixing other less severe issues, SureCloud chained multiple issues together to achieve account hijack on the Open edX platform. The issues chained together were as follows:
- XSS (CVE-2021-39248)
- Sensitive information (Username & CSRF tokens) stored in cookies without the HttpOnly cookie flag set.
- Username used in request URLs for managing profiles.
- Sign-in email address, could be changed without requiring re-authentication.
Combining these issues, a malicious user could carry out the following attack chain:
- Embed a malicious JavaScript URL into a discussion post.
- Lure or wait for a user to visit the post and click on the malicious link.
- Upon being clicked, the JavaScript would execute and parse the ‘csrftoken’ and ‘edx-user-info’ cookie values, resulting in the compromise of a usable CSRF token and the username of the victim.
- Using these values, the JavaScript could then make a ‘PATCH’ XMLHttpRequest to the
‘/api/user/v1/accounts/username’
endpoint, populating the end of the URL with the obtained username and set the ‘X-Csrftoken’ header to the value that was obtained from the relevant cookie. - This request would cause the email address of the victim’s account to be amended to that of an attacker-supplied value.
- At this stage, an attacker would be able to issue a forgot password request and acquire ownership of the account.
The following video also demonstrates the described attack chain:
Remediation
As of release-2021-08-02-19.11, Open edX sanitizes untrusted user input to prevent LaTeX code containing JavaScript URLs from rendering on the frontend. This fix successfully mitigates the aforementioned XSS vulnerability (CVE-2021-39248).
All system admins of Open edX platforms are advised to upgrade to the latest Lilac release.
Disclosure Timeline:
- 21/07/2021: Bug identified
- 22/07/2021: Initial vendor communications
- 26/07/2021: Vulnerability notification sent to the vendor
- 02/08/2021: Fix released (release-2021-08-02-19.11)
- 14/12/2021: This blog post published