clarolineVulns.txt

`This is a multi-part message in MIME format.  
  
------=_NextPart_000_001B_01C54B56.DF10D4A0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
Zone-H Research Center Security Advisory 200501  
http://fr.zone-h.org  
  
Date of release: 27/04/2005  
  
Software: Claroline (www.claroline.net)  
  
Affected versions:=20  
1.5.3  
1.6 beta  
1.6 Release Candidate 1  
(probably previous versions too)  
  
Risk: High  
  
Discovered by:  
Kevin Fernandez "Siegfried"  
Mehdi Oudad "deepfear"  
from the Zone-H Research Team  
  
Background (from their web site)  
----------  
Claroline is an Open Source software based on PHP/MySQL. It's a =  
collaborative learning environment allowing teachers or education =  
institutions to create and administer courses through the web.  
  
Description  
-----------  
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal =  
and 4 remote file inclusion vulnerabilities have been found in =  
Claroline.  
  
  
Details  
-------  
  
1)Multiple Cross site scripting vulnerabilities have been found in the =  
following pages:  
claroline/exercice/exercise_result.php  
claroline/exercice/exercice_submit.php  
claroline/calendar/myagenda.php  
claroline/calendar/agenda.php  
claroline/tracking/user_access_details.php  
claroline/tracking/toolaccess_details.php  
claroline/learnPath/learningPathList.php  
claroline/learnPath/learningPathAdmin.php  
claroline/learnPath/learningPath.php  
claroline/tracking/userLog.php  
[..]  
  
Examples:  
claroline/tracking/toolaccess_details.php?tool=3D%3Cscript%3Ealert('xss')=  
;%3C/script%3E  
claroline/tracking/user_access_details.php?cmd=3Ddoc&data=3D%3Cscript%3Ea=  
lert('xss');%3C/script%3E  
claroline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(documen=  
t.cookie)%3C/script%3E  
[..]  
  
2)10 SQL injections have been found, they could be exploited by users to =  
retrieve the passwords of the admin, arbitrary teachers or students.  
claroline/learnPath/learningPath.php (3)  
claroline/tracking/exercises_details.php  
claroline/learnPath/learningPathAdmin.php  
claroline/tracking/learnPath_details.php  
claroline/user/userInfo.php (2)  
claroline/learnPath/modules_pool.php  
claroline/learnPath/module.php  
  
Examples:  
claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT%20username,passwo=  
rd,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*  
claroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%2=  
00,password,username,0,0,0%20from%20user%20where%20user_id=3D1--  
[..]  
  
3)Multiple directory traversal vulnerabilities in =  
"claroline/document/document.php" and =  
"claroline/learnPath/insertMyDoc.php" could allow project administrators =  
(teachers) to upload files in arbitrary folders or copy/move/delete =  
(then view) files of arbitrary folders by performing directory traversal =  
attacks.  
  
4)Four remote file inclusion vulnerabilities have been discovered.  
  
Solution  
--------  
The Claroline users are urged to update to version 1.54 or 1.6 final:  
http://www.claroline.net/download.htm  
  
See also:  
http://www.claroline.net/news.php#85  
http://www.claroline.net/news.php#86  
  
Timeline  
--------  
18/04 Vulnerabilities found  
22/04 Vendor contacted (quick answer)  
25/04 Claroline 1.54 released  
26/04 Claroline 1.6 final released  
27/04 Users alerted via the mailing list  
27/04 Advisory released  
  
French version available here: =  
http://fr.zone-h.org/fr/advisories/read/id=3D180/  
English version: http://www.zone-h.org/advisories/read/id=3D7472  
  
Zone-H Research Center  
http://fr.zone-h.org  
  
Join us on #zone-h @ irc.eu.freenode.net  
  
You can contact the team leader at [email protected]  
  
Thanks to University Montpellier 2.  
------=_NextPart_000_001B_01C54B56.DF10D4A0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2>Zone-H Research Center Security =  
Advisory=20  
200501<BR><A =  
href=3D"http://fr.zone-h.org">http://fr.zone-h.org</A></FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Date of release: =  
27/04/2005</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Software: Claroline (<A=20  
href=3D"http://www.claroline.net">www.claroline.net</A>)</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Affected versions: <BR>1.5.3<BR>1.6 =  
beta<BR>1.6=20  
Release Candidate 1<BR>(probably previous versions too)</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Risk: High</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Discovered by:<BR>Kevin Fernandez=20  
"Siegfried"<BR>Mehdi Oudad "deepfear"<BR>from the Zone-H Research=20  
Team</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Background (from their web=20  
site)<BR>----------<BR>Claroline is an Open Source software based on =  
PHP/MySQL.=20  
It's a collaborative learning environment allowing teachers or education =  
  
institutions to create and administer courses through the =  
web.</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Description<BR>-----------<BR>Multiple =  
Cross site=20  
scripting, 10 SQL injection, 7 directory traversal and 4 remote file =  
inclusion=20  
vulnerabilities have been found in Claroline.</FONT></DIV>  
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>  
<DIV><BR>Details<BR>-------</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>1)Multiple Cross site scripting vulnerabilities have been found in =  
the=20  
following=20  
pages:<BR>claroline/exercice/exercise_result.php<BR>claroline/exercice/ex=  
ercice_submit.php<BR>claroline/calendar/myagenda.php<BR>claroline/calenda=  
r/agenda.php<BR>claroline/tracking/user_access_details.php<BR>claroline/t=  
racking/toolaccess_details.php<BR>claroline/learnPath/learningPathList.ph=  
p<BR>claroline/learnPath/learningPathAdmin.php<BR>claroline/learnPath/lea=  
rningPath.php<BR>claroline/tracking/userLog.php<BR>[..]</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Examples:<BR>claroline/tracking/toolaccess_details.php?tool=3D%3Cscr=  
ipt%3Ealert('xss');%3C/script%3E<BR>claroline/tracking/user_access_detail=  
s.php?cmd=3Ddoc&data=3D%3Cscript%3Ealert('xss');%3C/script%3E<BR>clar=  
oline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(document.co=  
okie)%3C/script%3E<BR>[..]</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>2)10 SQL injections have been found, they could be exploited by =  
users to=20  
retrieve the passwords of the admin, arbitrary teachers or=20  
students.<BR>claroline/learnPath/learningPath.php=20  
(3)<BR>claroline/tracking/exercises_details.php<BR>claroline/learnPath/le=  
arningPathAdmin.php<BR>claroline/tracking/learnPath_details.php<BR>clarol=  
ine/user/userInfo.php=20  
(2)<BR>claroline/learnPath/modules_pool.php<BR>claroline/learnPath/module=  
.php</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Examples:<BR>claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT=  
%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*<BR>c=  
laroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%20=  
0,password,username,0,0,0%20from%20user%20where%20user_id=3D1--<BR>[..]</=  
DIV>  
<DIV>&nbsp;</DIV>  
<DIV>3)Multiple directory traversal vulnerabilities in=20  
"claroline/document/document.php" and =  
"claroline/learnPath/insertMyDoc.php"=20  
could allow project administrators (teachers) to upload files in =  
arbitrary=20  
folders or copy/move/delete (then view) files of arbitrary folders by =  
performing=20  
directory traversal attacks.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>4)Four remote file inclusion vulnerabilities have been =  
discovered.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Solution<BR>--------<BR>The Claroline users are urged to update to =  
version=20  
1.54 or 1.6 final:<BR><A=20  
href=3D"http://www.claroline.net/download.htm">http://www.claroline.net/d=  
ownload.htm</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>See also:<BR><A=20  
href=3D"http://www.claroline.net/news.php#85">http://www.claroline.net/ne=  
ws.php#85</A><BR><A=20  
href=3D"http://www.claroline.net/news.php#86">http://www.claroline.net/ne=  
ws.php#86</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Timeline<BR>--------<BR>18/04 Vulnerabilities found<BR>22/04 Vendor =  
  
contacted (quick answer)<BR>25/04 Claroline 1.54 released<BR>26/04 =  
Claroline 1.6=20  
final released<BR>27/04 Users alerted via the mailing list<BR>27/04 =  
Advisory=20  
released</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>French version available here: <A=20  
href=3D"http://fr.zone-h.org/fr/advisories/read/id=3D180/">http://fr.zone=  
-h.org/fr/advisories/read/id=3D180/</A><BR>English=20  
version: <A=20  
href=3D"http://www.zone-h.org/advisories/read/id=3D7472">http://www.zone-=  
h.org/advisories/read/id=3D7472</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Zone-H Research Center<BR><A=20  
href=3D"http://fr.zone-h.org">http://fr.zone-h.org</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Join us on #zone-h @ irc.eu.freenode.net</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>You can contact the team leader at <A=20  
href=3D"mailto:[email protected]">[email protected]</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Thanks to University Montpellier 2.</FONT></DIV></BODY></HTML>  
  
------=_NextPart_000_001B_01C54B56.DF10D4A0--  
  
`