Forum

Versions of open source TAO 3.3.0 RC2 and before have huge security vulnerabilities

See https://sec-consult.com/vulnerability-lab/advisory/multiple-xss-vulnerabilities-in-tao-open-source-assessment-platform/
Note: these people contacted TAO for many months. The vulnerabilities were discovered Sept 16, 2019 and TAO did not acknowledge until April 8, 2020.
So much for a commitment to open source. Their hosted version was OK.

Comments

  • I find this very interesting. TAO has been around for what 15 years? And all their open source versions had security vulnerablities until now? Unbelievable! I read the article, and until the above company released a security advisory they did not respond. Searching around I found that other companies also found the security vulnerablities. Not a mention of it anywhere here when I searched. CHECK your version!

  • The claim that TAO has been around for 15 years and that therefore the vulnerability had existed for this period of time in incorrect. The article also doesn't claim that anywhere. If you found more articles that are not based on the original research, please post them here.

  • edited April 6

    The article says "Vulnerable versions <= 3.3.0 RC2" so, that would mean all versions before and including 3.3.0 RC2. Please clarify for me how long TAO open source has been around if you don't mind?
    I did find this reference on Wikipedia" Latour, T. and Martin, R., ERCIM News, 71, October (2007) 32-33. TAO, An Open and Versatile Computer-Based Assessment Platform Based on Semantic Web Technology Article in the journal ERCIM. 2006".
    Here are a few other articles: https://www.cvedetails.com/product/27641/Open-Assessment-Technologies--TAO.html?vendor_id=13310 and another https://www.exploit-db.com/exploits/48341 and another https://portswigger.net/daily-swig/open-source-assessment-platform-riddled-with-xss-flaws and another https://www.immuniweb.com/advisory/HTB23211 and another https://seclists.org/fulldisclosure/2020/Apr/3. I don't know if you have heard about google? but if you go to google.com and type in tao vulnerabilities you will get a list.

  • edited April 7

    The research project for computer aided testing which eventually resulted in TAO has started around 2006. Early products from that period have always been called TAO, but they are technically not related to what TAO is today. OAT's 3.x branch is a major rewrite and the core has first been released in 2014. That doesn't necessarily mean that the vulnerability has been around this whole time.

    We are certainly open for constructive feedback as long as it's based on facts and communicated respectfully. Please keep it that way.

  • Sorry, I mispoke. Who knew TAO pre 2014 was not TAO? I am sure the people using it at that time thought it was TAO...
    So, you are saying that TAO 3.3.0 RC2 does not have security vulnerabilities?

    You state that "3.x branch is a major rewrite and the core has first been released in 2014. That doesn't necessarily mean that the vulnerability has been around this whole time." you want to send me a copy of the first 3.x branch core from 2014 and I will check it for vulnerablities and tell you what I find? I don't mind I have the time. Also, why don't you ask your engineers? And we can compare what they say and what I find.

    Why is there no report here of the vulnerabilities in TAO 3.3.0 RC2? Don't you think those who are running the program should be aware of the issues and told to upgrade?

    Oh, and since you are talking to the engineers, could you get them to answer if TAO core can support 200,000 simultaneous users?

    In regards to constructive feedback, what versions of TAO 3.x do your engineers believe are secure? I am sure many people here would like to know.

  • edited April 8

    TAO pre-2014 was also called TAO, but to my knowledge, it was more of a prototype and had a very different codebase. I'm not super familiar with versions prior to 3.x, though.

    To clarify, I don't deny TAO 3.3.0 RC2's vulnerabilities as stated in SEC's report.

    While the report says:

    Vulnerable Version
    <= 3.3.0 RC2

    it says further down:

    The following version has been tested, which was the most recent one at the time of the test:
    3.3.0 RC2

    In other words, we can't conclude that earlier versions have been concerned by the bug, although they might have been. Let's stick to the facts here.

    TAO is Open Source software licensed under the GPL-2. If you wish to contribute, for instance by looking into potential vulnerabilities you can obtain all versions - current ones as well as older ones - through https://github.com/oat-sa/. Create forks of the repositories you want to test and create Issues for the problems you find. If you want to provide patches for any of these problems please do so through Pull Requests on GitHub.

    Our business model mainly follows two tracks:
    We have customers that pay OAT for services and extensions. These customers receive regular updates, including those that are written as a result of professional pen tests. A very considerable chunk of the code that is written for these projects will be given back to the Open Source Community free of charge and under the terms of the GPL-2.

    For everybody else, we provide the software for free, which means they can download any version from GitHub and do whatever they want as long as they stay within the terms of the GPL-2. We don't track people that download the Open Source versions and we have no contact with them. We can't inform them of the latest versions. They get the software for free but it's within their own responsibility to keep it up-to-date. We know of several TAO users that have built a successful business model on top of the free version. In this context, please take a minute to read https://github.com/oat-sa/tao-core/blob/master/LICENSE#L296.

    If you decide to use the free version there is, however, no support other than through this forum. I can't, therefore, comment on your question regarding the number of users. If you wish to obtain professional support, please contact our sales department.

  • edited April 8

    Ok, I am going to stick to the facts.
    OAT does not want to say what open source versions of TAO 3.x are vulnerability free.
    The least you could do is inform your user community about what is safe to use.
    Your statement "and we have no contact with them." is absolutely false.
    You have contact with them here.
    The community mistakenly believes that your software is secure, and you do nothing to discourage them of this untruth.
    On your website it reads" TAO’s open source framework ensures an enhanced level of security for your assessment platform and testing data."

    If patty1 had never posted the vulnerablity, TAO would never have acknowledged it. Let alone inform their user community about it.

    TAO sure has changed their focus over the years, from being proud of their open source software to "code that is written for these projects will be given back to the open source community".

    From the internet archives:
    Jan 6, 2014 "TAO is an Open Source e-Testing platform that empowers you to build, deliver, and share innovative and engaging assessments online – in any language or subject matter.".

    Dec 22, 2014 " Because TAO is Open Source, there are no annual license fees or recurring test delivery fees. Developed by a team of leading software engineers, TAO is regularly updated with new features, usability enhancements and under-the-hood improvements. All to ensure your assessments will always be state-of-the-art.".

    Mar 20, 2017 "Open source, Open standards, Open Possibilities".

    Now, it is "If you decide to use the free version there is, however, no support other than through this forum.".

    Open source got TAO the recognition they have, and now you have abandoned that community.

  • All dieter's bafflegab misses the point, Which versions of TAO 3.x are secure??
    He states" we can't conclude that earlier versions have been concerned by the bug, although they might have been."
    So he himself concludes that TAO does not know which versions are secure. And they do not care!

    The rest is just filler to draw your attention from the main point.
    I really feel for dieter, he has the untenable job of telling users open source TAO is secure, knowing full well that no one within the company will come out and say it is, because they know it isn't. The fact that no one from OAT reads any of this clearly displays their lack of interest in their open source software as compared to others like Moodle and QST.

  • edited April 9

    Every software has bugs and TAO is no exception. Open Source software makes the source public so that everybody can examine it. People that find bugs have the possibility to either raise an issue or to provide a patch and thereby contributing to the software. While it is true that OAT and its paying customers would benefit from such a patch, so does the Open Source community and everybody else who uses the software free of charge.

    OAT could have chosen to use a Closed Source model and cater to paying clients only as a considerable number of software vendors do. In this scenario the public would never have learned about this problem. Instead, we have chosen to let everybody participate and benefit, regardless whether someone wants to buy our services or not. We have chosen to be open for a public discussion as long as it stays respectful.

    With that being said, the Open Source version of TAO comes, as stated in the license:

    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE

    This whole discussion is about a vulnerability that has been fixed in version 3.4.0-sprint117 as pointed out in the original article, so this was known throughout the whole discussion.

    To put the vulnerability in perspective: It displays the password to people that just entered their password anyway, at least that's my understanding. Attackers, and they must be logged in, can execute JavaScript through forms. They can, however, not communicate with the server and for instance retrieve or manipulate data. In a critical vulnerability, this would be the case. I don't want to downplay the fact that the problem existed but is has been fixed and the version has been available on GitHub ever since.

    We have no way to know which individual has downloaded the software, unless they contact us for additional services. It is obviously true that some people come here to the forum to request support, but this forum is based on Peer Support, not professional technical support. The idea is to have a community where users help each other. While we on occasion answer a question in here, our main role is to remove spam and abuse.

    Now to patty1's statements:

    All dieter's bafflegab misses the point, Which versions of TAO 3.x are secure??

    3.4.0-sprint117 and higher, as it says in the link you had posted yourself.

    He states" we can't conclude that earlier versions have been concerned by the bug, although they might have been."
    So he himself concludes that TAO does not know which versions are secure.

    I don't claim that OAT doesn't know which versions are safe and which are not. I claim that only TAO 3.3.0 RC2 has been tested, and that we cannot deduct that other versions are concerned as well. OAT does regular pen tests as a part of the release process. That doesn't mean that it's bug-free, but we use best practices. When we learn of a vulnerability we fix it.

    The rest is just filler to draw your attention from the main point.

    What is the main point? You did not ask a question in the first place. You posted a piece of information.

    The fact that no one from OAT reads any of this clearly displays their lack of interest in their open source software as compared to others like Moodle and QST.

    I am in fact an OAT employee (in case this wasn't clear enough), I do read this and I do engage in a discussion. I do react when valid points are raised, I did acknowledge there was a problem and I did report the bug from https://www.exploit-db.com/exploits/48341. I won't, however, react to any kind of sarcasm or assertions that lack substance.

    In the course of this thread ubeanos had been asking for

    • a version of TAO that doesn't have the vulnerability. That answer was there all along: 3.4.0-sprint117 and higher
    • a copy of all older versions. I gave you the link and a pathway to handle your findings, unfortunately to no reaction from your side.

    Rather than engaging respectfully both of you raise new claims that try to shift away from the original subject and this is not helpful at all. The original subject of this thread is "There was a vulnerability in TAO and OAT has fixed it, although the flow of information was not great".

    If we weren't open for criticism, I could have deleted this discussion from the beginning. Instead, I have chosen to engage because it originally addressed a valid concern. Now, frankly spoken, I'm unhappy with the increasingly aggressive approach. I won't tolerate a discussion in this form and I will close it. You are welcome to participate in the forum in a constructive way but not like this.

This discussion has been closed.

We use cookies on our website to support technical features that enhance your user experience. Cookie Policy Privacy Policy

×