what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting

ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting
Posted May 22, 2018
Authored by Moritz Bechler | Site syss.de

ILIAS versions 5.3.2, 5.2.14, and 5.1.25 suffer from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-10428
SHA-256 | 2aac0222aebf2e7413630a3b07065dedd067ddc45d6a86a9fc12a1676428cf5d

ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting

Change Mirror Download
Advisory ID: SYSS-2018-007
Product: ILIAS
Affected Version(s): 5.3.2, 5.2.14, 5.1.25
Tested Version(s): 5.3.2, 5.2.12
Vulnerability Type: Reflected Cross-Site-Scripting
Risk Level: MEDIUM
Solution Status: Fixed
Manufacturer Notification: 2018-03-29
Solution Date: 2018-04-25
Public Disclosure: 2018-05-18
CVE Reference: CVE-2018-10428
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ILIAS is a e-Learning platform.

The manufacturer describes the product as follows (see [1]):

"ILIAS is a powerful Open Source Learning Management System for developing
and realising web-based e-learning. The software was developed to reduce
the costs of using new media in education and further training and to
ensure the maximum level of customer influence in the implementation of
the software. ILIAS is published under the General Public Licence and
free of charge."

Due to inconsistencies in parameter handling ILIAS is vulnerable to
reflected cross-site-scripting in various locations.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Request parameters handled through the saveParameter() mechanism can be
supplied through both URL parameters and application/x-www-form-urlencoded
POST bodies. These parameters will be included in the constructed HTML form
action URL without further encoding. While URL parameters are generally
sanitized by stripping HTML tags and a variety of characters, this is not
the case for parameters from the POST body.

Requesting a page with a saved parameter using a POST request, and supplying
that parameter inside the POST body, will therefor result in that value
being embedded into the page without proper escaping.

Instances of this issue have been identified in the ilStartupGui as well
as the ilCalendarAppointmentGUI pages, but there are likely more vulnerable
instances.

The necessary POST request can be initied by a third party site by
submitting a HTML form through JavaScript.
An attacker crafting such a site and tricking an user into visiting it
can therefor supply arbitrary JavaScript code to be executed in the
context of the target application.

This is suited to either execute arbitrary operations as an already
authenticated users or to steal a not-yet authenticated users credentials
by redirecting him to the regular login page with malicious JavaScript code
embedded sending them to a third-party server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):


'seed' is a saved parameter for the add action of ilCalendarAppointmentGUI
which can be accessed via POST,

POST
/ILIAS-5.3.2/ilias.php?cmd=add&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI
HTTP/1.1
[...]
Cookie: PHPSESSID=[...]; ilClientId=test
Content-Type: application/x-www-form-urlencoded
[...]
seed="><script>alert(123)</script>


That request results in the <script> tag from the 'seed' value being
embedded in the response in multiple places so that a browser will
execute the JavaScript code.

HTTP/1.1 200 OK
[...]
<form id="form_" role="form"
class="form-horizontal preventDoubleSubmission"
action="ilias.php?seed="><script>alert(123)</script>
&cmd=post&cmdClass=ilcalendarappointmentgui&cmdNode=zm:ao:b1&baseClass=ilPersonalDesktopGUI&rtoken=[...]"
method="post" novalidate="novalidate">
[..]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to software version to ILIAS 5.3.4/5.2.15/5.1.26.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-03-26: Vulnerability discovered
2018-03-29: Vulnerability reported to manufacturer
2018-04-25: Patch released by manufacturer
2018-05-18: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ILIAS
https://github.com/ILIAS-eLearning/ILIAS
[2] SySS Security Advisory SYSS-2018-007

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-007.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close