[VulnWatch] ZRCSA-200501 - Multiple vulnerabilities in Claroline

From: Siegfried (siegfri3d_at_gmail.com)
Date: 04/27/05

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] High risk flaw in HP OpenView Radia Management Agent"
    To: <vulnwatch@vulnwatch.org>
    Date: Wed, 27 Apr 2005 21:29:16 +0200
    
    

    Zone-H Research Center Security Advisory 200501
    http://fr.zone-h.org

    Date of release: 27/04/2005

    Software: Claroline (www.claroline.net)

    Affected versions:
    1.5.3
    1.6 beta
    1.6 Release Candidate 1
    (probably previous versions too)

    Risk: High

    Discovered by:
    Kevin Fernandez "Siegfried"
    Mehdi Oudad "deepfear"
    from the Zone-H Research Team

    Background (from their web site)
    ----------
    Claroline is an Open Source software based on PHP/MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web.

    Description
    -----------
    Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline.

    Details
    -------

    1)Multiple Cross site scripting vulnerabilities have been found in the following pages:
    claroline/exercice/exercise_result.php
    claroline/exercice/exercice_submit.php
    claroline/calendar/myagenda.php
    claroline/calendar/agenda.php
    claroline/tracking/user_access_details.php
    claroline/tracking/toolaccess_details.php
    claroline/learnPath/learningPathList.php
    claroline/learnPath/learningPathAdmin.php
    claroline/learnPath/learningPath.php
    claroline/tracking/userLog.php
    [..]

    Examples:
    claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E
    claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E
    claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    [..]

    2)10 SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin, arbitrary teachers or students.
    claroline/learnPath/learningPath.php (3)
    claroline/tracking/exercises_details.php
    claroline/learnPath/learningPathAdmin.php
    claroline/tracking/learnPath_details.php
    claroline/user/userInfo.php (2)
    claroline/learnPath/modules_pool.php
    claroline/learnPath/module.php

    Examples:
    claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/*
    claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1--
    [..]

    3)Multiple directory traversal vulnerabilities in "claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php" could allow project administrators (teachers) to upload files in arbitrary folders or copy/move/delete (then view) files of arbitrary folders by performing directory traversal attacks.

    4)Four remote file inclusion vulnerabilities have been discovered.

    Solution
    --------
    The Claroline users are urged to update to version 1.54 or 1.6 final:
    http://www.claroline.net/download.htm

    See also:
    http://www.claroline.net/news.php#85
    http://www.claroline.net/news.php#86

    Timeline
    --------
    18/04 Vulnerabilities found
    22/04 Vendor contacted (quick answer)
    25/04 Claroline 1.54 released
    26/04 Claroline 1.6 final released
    27/04 Users alerted via the mailing list
    27/04 Advisory released

    French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/
    English version: http://www.zone-h.org/advisories/read/id=7472

    Zone-H Research Center
    http://fr.zone-h.org

    Join us on #zone-h @ irc.eu.freenode.net

    You can contact the team leader at deepfear@fr.zone-h.org

    Thanks to University Montpellier 2.


  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] High risk flaw in HP OpenView Radia Management Agent"

    Relevant Pages

    • ZRCSA-200501 - Multiple vulnerabilities in Claroline
      ... Zone-H Research Center Security Advisory 200501 ... Claroline is an Open Source software based on PHP/MySQL. ... Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline. ...
      (Bugtraq)
    • [Full-disclosure] ZRCSA-200501 - Multiple vulnerabilities in Claroline
      ... Zone-H Research Center Security Advisory 200501 ... Claroline is an Open Source software based on PHP/MySQL. ... Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline. ...
      (Full-Disclosure)
    • Claroline Cross-Site Scripting Vulnerabilities
      ... Security Advisory ... Claroline is a free application based on PHP/MySQL allowing ... teachers or education organizations to create and administrate ... courses through the web. ...
      (Bugtraq)