Software Engineering Institute

CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3599

In Coursemill 6.6, when loading the home page (/coursemill/cm0660/home.html) the response to the userlogin.jsp request returns the user role as a parameter (passed to the client for processing). In Coursemill 6.8, this has been partially remediated. Privilege escalation is still possible without authentication.

CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3600
In Coursemill 6.6, the userid parameter is exploitable in certain functions. Using the "Edit Profile" function and replaying the request can result in access to another user (or privileged user's) information. It is unknown if this is remediated in version 6.8.

CWE-250: Execution with Unnecessary Privileges - CVE-2013-3601
In Coursemill 6.6, the application relies on JavaServer Pages (JSP) for user-executed functions. These function calls take an “op” parameter that tells the JSP which operation to run. Operations that should be restricted to administrators were found to be executable by users in a non-administrative Student role. This has been remediated in Coursemill 6.8

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2013-3602
In Coursemill 6.6, the following JSP call is intended to retrieve information about uploaded documents:
/coursemill/cm0660/admindocumentworker.jsp?op=info&docID=1&rndval=1348848360092&getAttrs=undefined

The docID parameter passes the numeric value of the document to the server which then retrieves the document data from the database. The application passes SQL statements directly from the user to the SQL server for processing. This has been remediated in Coursemill 6.8

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3603
In Coursemill 6.6, the application was observed to reflect error messages containing user-provided URL input directly to the browser without proper input validation and output encoding. This allows for a reflected XSS attack, whereby an attacker can pass a crafted link to a user which when clicked, executes malicious JavaScript to attack the user.

This is partially remediated in Coursemill 6.8. The application is still vulnerable to reflected XSS due to insufficient input validation and output encoding. The application attempts to remove event attributes by keyword - anything with the letters “on” (such as “onmouseover”) are removed. This can be defeated by inserting null bytes (%00) in between the “o” and the “n” which will evade the filter and allow the browser to execute the script. The additional validation step of removing closing brackets (“>” ) is also insufficient because some browsers, such as Internet Explorer, will tolerate lack of closing brackets and execute the HTML regardless.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3604
In Coursemill 6.6 and 6.8, a stored XSS attack is possible in several application inputs.
Coursemill 6.8 adds a filter for closing quotes, but does not filter other input (such as %22)

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-3605
Coursemill 6.6 relies on cookie values to authenticate a request from a user, rendering it vulnerable to CSRF attacks. Coursemill 6.8 adds CSRF tokens but they are constructed using predictable values (timestamps of the user).

An attacker can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which may result in information leakage or privilege escalation.

Apply an Update
Coursemill version 6.8 provides some remediation to these issues.