In the beginning of May I decided I wanted to learn more about Chemistry, so I signed up for coursera.org’s organic chemistry course. In the process of getting setup, I found a reflected XSS and a few boolean values in the cookie that presented me with an admin interface. I reported the vulnerabilities to coursera.org on May 8th but received no response.
The reflected XSS is in the class.coursera.org domain, is very straightforward and was exploited in Firefox 21.0.
The admin interface found at
https://www.coursera.org/admin is not available to all users. Manipulating boolean cookie values opens the interface to anyone. However, it doesn’t appear you are able to do anything interesting once there.
Inside the ‘maestro_user’ cookie, there are boolean values that control access to the www.coursera.org/admin interface. These values as they appear in the original cookie are:
With the values set to false, navigating to https://www.coursera.org/admin results in an error page indicating I do not have permission to view the administration portion of the site. After editing the ‘maestro_user’ cookie such that the values are as follows: