exploit the possibilities

ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting

ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting
Posted May 22, 2018
Authored by Moritz Bechler

ILIAS versions 5.3.2, 5.2.14, and 5.1.25 suffer from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-10428
MD5 | e040c53ef97a1cf82b56b47ee94179a8

ILIAS 5.3.2 / 5.2.14 / 5.1.25 Cross Site Scripting

Change Mirror Download
Advisory ID: SYSS-2018-007
Product: ILIAS
Affected Version(s): 5.3.2, 5.2.14, 5.1.25
Tested Version(s): 5.3.2, 5.2.12
Vulnerability Type: Reflected Cross-Site-Scripting
Risk Level: MEDIUM
Solution Status: Fixed
Manufacturer Notification: 2018-03-29
Solution Date: 2018-04-25
Public Disclosure: 2018-05-18
CVE Reference: CVE-2018-10428
Author of Advisory: Moritz Bechler, SySS GmbH



ILIAS is a e-Learning platform.

The manufacturer describes the product as follows (see [1]):

"ILIAS is a powerful Open Source Learning Management System for developing
and realising web-based e-learning. The software was developed to reduce
the costs of using new media in education and further training and to
ensure the maximum level of customer influence in the implementation of
the software. ILIAS is published under the General Public Licence and
free of charge."

Due to inconsistencies in parameter handling ILIAS is vulnerable to
reflected cross-site-scripting in various locations.


Vulnerability Details:

Request parameters handled through the saveParameter() mechanism can be
supplied through both URL parameters and application/x-www-form-urlencoded
POST bodies. These parameters will be included in the constructed HTML form
action URL without further encoding. While URL parameters are generally
sanitized by stripping HTML tags and a variety of characters, this is not
the case for parameters from the POST body.

Requesting a page with a saved parameter using a POST request, and supplying
that parameter inside the POST body, will therefor result in that value
being embedded into the page without proper escaping.

Instances of this issue have been identified in the ilStartupGui as well
as the ilCalendarAppointmentGUI pages, but there are likely more vulnerable

The necessary POST request can be initied by a third party site by
submitting a HTML form through JavaScript.
An attacker crafting such a site and tricking an user into visiting it
can therefor supply arbitrary JavaScript code to be executed in the
context of the target application.

This is suited to either execute arbitrary operations as an already
authenticated users or to steal a not-yet authenticated users credentials
by redirecting him to the regular login page with malicious JavaScript code
embedded sending them to a third-party server.


Proof of Concept (PoC):

'seed' is a saved parameter for the add action of ilCalendarAppointmentGUI
which can be accessed via POST,

Cookie: PHPSESSID=[...]; ilClientId=test
Content-Type: application/x-www-form-urlencoded

That request results in the <script> tag from the 'seed' value being
embedded in the response in multiple places so that a browser will
execute the JavaScript code.

HTTP/1.1 200 OK
<form id="form_" role="form"
class="form-horizontal preventDoubleSubmission"
method="post" novalidate="novalidate">



Update to software version to ILIAS 5.3.4/5.2.15/5.1.26.


Disclosure Timeline:

2018-03-26: Vulnerability discovered
2018-03-29: Vulnerability reported to manufacturer
2018-04-25: Patch released by manufacturer
2018-05-18: Public disclosure of vulnerability



[1] Product website for ILIAS
[2] SySS Security Advisory SYSS-2018-007

[3] SySS Responsible Disclosure Policy



This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web



Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By