The Unsecured State Part 2 – EduBase XSS (Disclosed & Fixed)

This is part 2 of a series of blog posts looking at the security of the UK Government’s web infrastructure.

Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the case.

Don’t Press This Button

Pressing this button will send a POST request to the Department of Education’s EduBase website.

Code

HTML forms can direct your browser to POST information to any site. It’s even possible to hide the data from the user – so all they see is a big button to press.

<form method="post"
   id="quickSearch"
   action="http://www.education.gov.uk/edubase/home.xhtml" >
   <input id="establishmentName.value"
          name="establishmentName.value"
          type="hidden"
          value="<h1>XSS Demonstration</h1>
                 <h2><a href='http://www.teachers.org.uk/campaigns/protect-teachers'>Demo link</a></h2>
                 <img src='https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/tumblr_m811uzuyp91rcq3oko1_500.jpg'/><br />
                 <script>alert('JavaScript XSS');</script>"
   />
   <button>Demonstrate XSS</button>
</form>

Mitigation

Always escape untrusted data! Read the OWASP cheat sheet for more information.

When such a flaw is discovered and then reported, it is imperative that you have a plan to rapidly secure it. It took 27 days to get the fix into production. I’ve no idea how long it was open for – or how many people exploited it in that time.

In this case, the Department for Education have outsourced EduBase to Texuna – a technology partner. Texuna don’t have any secure way for people to report flaws to them and, when notified, struggled to find someone who could take responsibility.

Texuna seemed to me unable to convey the urgency of the situation to the DfE. A complicated public/private partnership with multiple stakeholders seems to mean that there is no way to escalate security issues.

While it is vitally important to thoroughly test security patches, there’s also a very real risk involved in leaving a system unpatched.

This is a textbook example of where outsourcing fails. The ideological agenda which promotes the lowest bidder is doomed to failure when a crisis occurs. Responsibility is diffused, no one is empowered to make decisions, and without proper management oversight critical bugs are left unfixed.

Compare and contrast to yesterday’s bug. An identical XSS bug in the Parliament.uk website was fixed over a weekend. Because the Parliament team was centralised and highly motivated they were able to accomplish something a “highly trusted partner” could not.

It is not known how many more of Texuna’s client’s sites are in a similarly unsecured state.

Timeline

5th February. Disclosed to Department of Education and their technology partner Texuna.
7th February. Disclosed to GovCertUK.
12th February. Contacted the TES Newspaper to allow them to report on the story.
26th February. According to Texuna a fix released – to be scheduled for production “soon”.
28th February. Informed Texuna of publication date.
3rd March. Fixed.
4th March. Published.

A Special Message For Michael Gove

6 thoughts on “The Unsecured State Part 2 – EduBase XSS (Disclosed & Fixed)”

Ben Smith says:

2014-03-04 at 13:01

I think you’ve over-stated the outsourcing element. Lack of escalation process and/or ownership (and problems responding to emergencies) isn’t unique to outsourced systems and the result is the same regardless.

Terence Eden says:
2014-03-04 at 14:13
It can certainly be a problem with internal teams. But I’ve never seen an outsourced team which has the same level of access to decision making members of staff in the “parent” organisation.
Additionally, outsourced partners are – in my experience – much more concerned about hitting contractual metrics rather than solving problems. Sometimes that works – often it doesn’t.
Reply
1. Ben Smith says:
  2014-03-04 at 21:53
  ‘Solving problems’ is a pretty good contractual metric, but it may also be that the customer here just doesn’t think it’s a good cost / benefit to pay for greater agility*.
  * Guessing, I have no knowledge of this site or supplier.
  Reply

Pingback: Hacked DfE website hosts article declaring 'Gove to teach all children himself' - Education - TES News

Pingback: Hacked DfE web page: ‘Michael Gove to teach all children himself’ | Political Scrapbook

Pingback: The Unsecured State Part 5 – Abandoned Inquiries ← Terence Eden's Blog

2020
January 31 posts	February 29 posts	March 31 posts
April 30 posts	May 31 posts	June 30 posts
July 31 posts	August 31 posts	September 30 posts
October 31 posts	November 30 posts	December

2019
January 31 posts	February 12 posts	March 17 posts
April 12 posts	May 12 posts	June 10 posts
July 7 posts	August 5 posts	September 6 posts
October 14 posts	November 30 posts	December 17 posts

2018
January 8 posts	February 4 posts	March 6 posts
April 14 posts	May 5 posts	June 6 posts
July 6 posts	August 13 posts	September 14 posts
October 8 posts	November 30 posts	December 4 posts

2017
January 12 posts	February 9 posts	March 8 posts
April 4 posts	May 10 posts	June 5 posts
July 5 posts	August 6 posts	September 3 posts
October 4 posts	November 30 posts	December

2016
January 10 posts	February 10 posts	March 11 posts
April 9 posts	May 8 posts	June 9 posts
July 6 posts	August 9 posts	September 4 posts
October 2 posts	November 30 posts	December 14 posts