ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting

Type packetstorm
Reporter Moritz Bechler
Modified 2018-05-22T00:00:00


                                            `Advisory ID: SYSS-2018-007  
Product: ILIAS  
Affected Version(s): 5.3.2, 5.2.14, 5.1.25  
Tested Version(s): 5.3.2, 5.2.12  
Vulnerability Type: Reflected Cross-Site-Scripting  
Risk Level: MEDIUM  
Solution Status: Fixed  
Manufacturer Notification: 2018-03-29  
Solution Date: 2018-04-25  
Public Disclosure: 2018-05-18  
CVE Reference: CVE-2018-10428  
Author of Advisory: Moritz Bechler, SySS GmbH  
ILIAS is a e-Learning platform.  
The manufacturer describes the product as follows (see [1]):  
"ILIAS is a powerful Open Source Learning Management System for developing  
and realising web-based e-learning. The software was developed to reduce  
the costs of using new media in education and further training and to  
ensure the maximum level of customer influence in the implementation of  
the software. ILIAS is published under the General Public Licence and  
free of charge."  
Due to inconsistencies in parameter handling ILIAS is vulnerable to  
reflected cross-site-scripting in various locations.  
Vulnerability Details:  
Request parameters handled through the saveParameter() mechanism can be  
supplied through both URL parameters and application/x-www-form-urlencoded  
POST bodies. These parameters will be included in the constructed HTML form  
action URL without further encoding. While URL parameters are generally  
sanitized by stripping HTML tags and a variety of characters, this is not  
the case for parameters from the POST body.  
Requesting a page with a saved parameter using a POST request, and supplying  
that parameter inside the POST body, will therefor result in that value  
being embedded into the page without proper escaping.  
Instances of this issue have been identified in the ilStartupGui as well  
as the ilCalendarAppointmentGUI pages, but there are likely more vulnerable  
The necessary POST request can be initied by a third party site by  
submitting a HTML form through JavaScript.  
An attacker crafting such a site and tricking an user into visiting it  
can therefor supply arbitrary JavaScript code to be executed in the  
context of the target application.  
This is suited to either execute arbitrary operations as an already  
authenticated users or to steal a not-yet authenticated users credentials  
by redirecting him to the regular login page with malicious JavaScript code  
embedded sending them to a third-party server.  
Proof of Concept (PoC):  
'seed' is a saved parameter for the add action of ilCalendarAppointmentGUI  
which can be accessed via POST,  
Cookie: PHPSESSID=[...]; ilClientId=test  
Content-Type: application/x-www-form-urlencoded  
That request results in the <script> tag from the 'seed' value being  
embedded in the response in multiple places so that a browser will  
execute the JavaScript code.  
HTTP/1.1 200 OK  
<form id="form_" role="form"  
class="form-horizontal preventDoubleSubmission"  
method="post" novalidate="novalidate">  
Update to software version to ILIAS 5.3.4/5.2.15/5.1.26.  
Disclosure Timeline:  
2018-03-26: Vulnerability discovered  
2018-03-29: Vulnerability reported to manufacturer  
2018-04-25: Patch released by manufacturer  
2018-05-18: Public disclosure of vulnerability  
[1] Product website for ILIAS  
[2] SySS Security Advisory SYSS-2018-007  
[3] SySS Responsible Disclosure Policy  
This security vulnerability was found by Moritz Bechler of SySS GmbH.  
Public Key: ://  
Key ID: 0x768EFE2BB3E53DDA  
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
Creative Commons - Attribution (by) - Version 3.0