Zone-H Research Center Security Advisory 200501 http://fr.zone-h.org
Date of release: 27/04/2005
Software: Claroline (www.claroline.net)
Affected versions: 1.5.3 1.6 beta 1.6 Release Candidate 1 (probably previous versions too)
Discovered by: Kevin Fernandez "Siegfried" Mehdi Oudad "deepfear" from the Zone-H Research Team
Claroline is an Open Source software based on PHP/MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web.
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline.
1)Multiple Cross site scripting vulnerabilities have been found in the following pages: claroline/exercice/exercise_result.php claroline/exercice/exercice_submit.php claroline/calendar/myagenda.php claroline/calendar/agenda.php claroline/tracking/user_access_details.php claroline/tracking/toolaccess_details.php claroline/learnPath/learningPathList.php claroline/learnPath/learningPathAdmin.php claroline/learnPath/learningPath.php claroline/tracking/userLog.php [..]
Examples: claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E [..]
2)10 SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin, arbitrary teachers or students. claroline/learnPath/learningPath.php (3) claroline/tracking/exercises_details.php claroline/learnPath/learningPathAdmin.php claroline/tracking/learnPath_details.php claroline/user/userInfo.php (2) claroline/learnPath/modules_pool.php claroline/learnPath/module.php
Examples: claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/* claroline/tracking/exercises_details.php?exo_id=-1//UNION//SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1-- [..]
3)Multiple directory traversal vulnerabilities in "claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php" could allow project administrators (teachers) to upload files in arbitrary folders or copy/move/delete (then view) files of arbitrary folders by performing directory traversal attacks.
4)Four remote file inclusion vulnerabilities have been discovered.
The Claroline users are urged to update to version 1.54 or 1.6 final: http://www.claroline.net/download.htm
See also: http://www.claroline.net/news.php#85 http://www.claroline.net/news.php#86
18/04 Vulnerabilities found 22/04 Vendor contacted (quick answer) 25/04 Claroline 1.54 released 26/04 Claroline 1.6 final released 27/04 Users alerted via the mailing list 27/04 Advisory released
French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/ English version: http://www.zone-h.org/advisories/read/id=7472
Zone-H Research Center http://fr.zone-h.org
Join us on #zone-h @ irc.eu.freenode.net
You can contact the team leader at firstname.lastname@example.org
Thanks to University Montpellier 2.