class.coursera.org reflected XSS

In the beginning of May I decided I wanted to learn more about Chemistry, so I signed up for coursera.org’s organic chemistry course. In the process of getting setup, I found a reflected XSS and a few boolean values in the cookie that presented me with an admin interface. I reported the vulnerabilities to coursera.org on May 8th but received no response.

The reflected XSS is in the class.coursera.org domain, is very straightforward and was exploited in Firefox 21.0.

PoC:https://class.coursera.org/orgchem1a-001/lecture/subtitles?q=3_en<script>alert(document.domain);</script>&format=txt

class.coursera.org xss

The admin interface found at https://www.coursera.org/admin is not available to all users. Manipulating boolean cookie values opens the interface to anyone. However, it doesn’t appear you are able to do anything interesting once there.

Inside the ‘maestro_user’ cookie, there are boolean values that control access to the www.coursera.org/admin interface. These values as they appear in the original cookie are:
is_superuser=false
is_staff=false
identity_verified=false

With the values set to false, navigating to https://www.coursera.org/admin results in an error page indicating I do not have permission to view the administration portion of the site. After editing the ‘maestro_user’ cookie such that the values are as follows:
is_superuser=true
is_staff=true
identity_verified=true

Comments are closed.