ZRCSA-200501 - Multiple vulnerabilities in Claroline

2005-04-28T00:00:00
ID SECURITYVULNS:DOC:8467
Type securityvulns
Reporter Securityvulns
Modified 2005-04-28T00:00:00

Description

Zone-H Research Center Security Advisory 200501 http://fr.zone-h.org

Date of release: 27/04/2005

Software: Claroline (www.claroline.net)

Affected versions: 1.5.3 1.6 beta 1.6 Release Candidate 1 (probably previous versions too)

Risk: High

Discovered by: Kevin Fernandez "Siegfried" Mehdi Oudad "deepfear" from the Zone-H Research Team

Background (from their web site)

Claroline is an Open Source software based on PHP/MySQL. It's a collaborative learning environment allowing teachers or education institutions to create and administer courses through the web.

Description

Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline.

Details

1)Multiple Cross site scripting vulnerabilities have been found in the following pages: claroline/exercice/exercise_result.php claroline/exercice/exercice_submit.php claroline/calendar/myagenda.php claroline/calendar/agenda.php claroline/tracking/user_access_details.php claroline/tracking/toolaccess_details.php claroline/learnPath/learningPathList.php claroline/learnPath/learningPathAdmin.php claroline/learnPath/learningPath.php claroline/tracking/userLog.php [..]

Examples: claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E [..]

2)10 SQL injections have been found, they could be exploited by users to retrieve the passwords of the admin, arbitrary teachers or students. claroline/learnPath/learningPath.php (3) claroline/tracking/exercises_details.php claroline/learnPath/learningPathAdmin.php claroline/tracking/learnPath_details.php claroline/user/userInfo.php (2) claroline/learnPath/modules_pool.php claroline/learnPath/module.php

Examples: claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/* claroline/tracking/exercises_details.php?exo_id=-1//UNION//SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1-- [..]

3)Multiple directory traversal vulnerabilities in "claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php" could allow project administrators (teachers) to upload files in arbitrary folders or copy/move/delete (then view) files of arbitrary folders by performing directory traversal attacks.

4)Four remote file inclusion vulnerabilities have been discovered.

Solution

The Claroline users are urged to update to version 1.54 or 1.6 final: http://www.claroline.net/download.htm

See also: http://www.claroline.net/news.php#85 http://www.claroline.net/news.php#86

Timeline

18/04 Vulnerabilities found 22/04 Vendor contacted (quick answer) 25/04 Claroline 1.54 released 26/04 Claroline 1.6 final released 27/04 Users alerted via the mailing list 27/04 Advisory released

French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/ English version: http://www.zone-h.org/advisories/read/id=7472

Zone-H Research Center http://fr.zone-h.org

Join us on #zone-h @ irc.eu.freenode.net

You can contact the team leader at deepfear@fr.zone-h.org

Thanks to University Montpellier 2.