WeBWorK Main Forum

WeBWorK 2.18 cross-site scripting vulnerabilities

WeBWorK 2.18 cross-site scripting vulnerabilities

by Alexei Kolesnikov -
Number of replies: 2

I am running WeBWorK 2.18; default set up from the provided VM, with changes to secure the passwords. 

Our IT ran vulnerability scan and came up with a variety of XSS vulnerabilities. An example of this:

https://webwork.towson.edu/webwork2/1242TEST-333-001/%3C--!%20hello

injects "<--! hello" into the page as the title.

Looking around other sites, it may not be limited to Towson, or to the 2.18 version (I think I saw a 2.14 with the same issue).

All students are authenticating through BlackBoard, but many faculty use a direct link to log in. My thought is to enable BlackBoard login only and hope that this would fix the issue. 

Are there other possible solutions?

Thank you,

--Alexei



In reply to Alexei Kolesnikov

Re: WeBWorK 2.18 cross-site scripting vulnerabilities

by Andras Balogh -

This was a problem for us too, but not anymore. At least not on our v 2.17 webwork with similar Blackboard and direct login options as yours. You might want to search the forum for answers, I already forgot how it was fixed. I would like to express my gratitude to the developers again for helping with the fix.  

In reply to Alexei Kolesnikov

Re: WeBWorK 2.18 cross-site scripting vulnerabilities

by Glenn Rice -
Being able to inject something like "<--! hello" into a page title by adding "%3C--!%20hello" to the url is not a cross site scripting vulnerability.  It only becomes a cross site scripting vulnerability if something injected into the url contains a script that will actually be executed because the site does not sanitize the url and literally injects the passed contents into the DOM.

So the test that your IT is using is not entirely valid.

However, webwork is vulnerable to a cross site scripting attack that we now have a mechanism to fix.  The vulnerability was reported in https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4295.  This will be fixed for the next release.