|
Zone-H Research Center Security Advisory
200501
http://fr.zone-h.org Date of release: 27/04/2005
Software: Claroline (www.claroline.net)
Affected versions:
1.5.3 1.6 beta 1.6 Release Candidate 1 (probably previous versions too) Risk: High
Discovered by:
Kevin Fernandez "Siegfried" Mehdi Oudad "deepfear" from the Zone-H Research Team Background (from their web
site)
---------- Claroline is an Open Source software based on PHP/MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web. Description
----------- Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline. Details ------- 1)Multiple Cross site scripting vulnerabilities have been found in the
following
pages:
claroline/exercice/exercise_result.php claroline/exercice/exercice_submit.php claroline/calendar/myagenda.php claroline/calendar/agenda.php claroline/tracking/user_access_details.php claroline/tracking/toolaccess_details.php claroline/learnPath/learningPathList.php claroline/learnPath/learningPathAdmin.php claroline/learnPath/learningPath.php claroline/tracking/userLog.php [..] Examples:
claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E claroline/tracking/user_access_details.php?cmd=doc&data="">claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E [..] 2)10 SQL injections have been found, they could be exploited by users to
retrieve the passwords of the admin, arbitrary teachers or
students.
claroline/learnPath/learningPath.php (3) claroline/tracking/exercises_details.php claroline/learnPath/learningPathAdmin.php claroline/tracking/learnPath_details.php claroline/user/userInfo.php (2) claroline/learnPath/modules_pool.php claroline/learnPath/module.php Examples:
claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/* claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1-- [..] 3)Multiple directory traversal vulnerabilities in
"claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php"
could allow project administrators (teachers) to upload files in arbitrary
folders or copy/move/delete (then view) files of arbitrary folders by performing
directory traversal attacks.
4)Four remote file inclusion vulnerabilities have been discovered.
Solution
-------- The Claroline users are urged to update to version 1.54 or 1.6 final: http://www.claroline.net/download.htm Timeline
-------- 18/04 Vulnerabilities found 22/04 Vendor contacted (quick answer) 25/04 Claroline 1.54 released 26/04 Claroline 1.6 final released 27/04 Users alerted via the mailing list 27/04 Advisory released French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/
English version: http://www.zone-h.org/advisories/read/id=7472 Zone-H Research Center
http://fr.zone-h.org Join us on #zone-h @ irc.eu.freenode.net
You can contact the team leader at [EMAIL PROTECTED]
Thanks to University Montpellier 2.
|
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
