Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 remote file inclusion vulnerabilities have been found in Claroline versions 1.6 and below.
052e9365cb9d1fd65a53162363bd9fa05dd0a5aa01b916faa3eafffc8e316c8a
This is a multi-part message in MIME format.
------=_NextPart_000_001B_01C54B56.DF10D4A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Zone-H Research Center Security Advisory 200501
http://fr.zone-h.org
Date of release: 27/04/2005
Software: Claroline (www.claroline.net)
Affected versions:=20
1.5.3
1.6 beta
1.6 Release Candidate 1
(probably previous versions too)
Risk: High
Discovered by:
Kevin Fernandez "Siegfried"
Mehdi Oudad "deepfear"
from the Zone-H Research Team
Background (from their web site)
----------
Claroline is an Open Source software based on PHP/MySQL. It's a =
collaborative learning environment allowing teachers or education =
institutions to create and administer courses through the web.
Description
-----------
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal =
and 4 remote file inclusion vulnerabilities have been found in =
Claroline.
Details
-------
1)Multiple Cross site scripting vulnerabilities have been found in the =
following pages:
claroline/exercice/exercise_result.php
claroline/exercice/exercice_submit.php
claroline/calendar/myagenda.php
claroline/calendar/agenda.php
claroline/tracking/user_access_details.php
claroline/tracking/toolaccess_details.php
claroline/learnPath/learningPathList.php
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/learningPath.php
claroline/tracking/userLog.php
[..]
Examples:
claroline/tracking/toolaccess_details.php?tool=3D%3Cscript%3Ealert('xss')=
;%3C/script%3E
claroline/tracking/user_access_details.php?cmd=3Ddoc&data=3D%3Cscript%3Ea=
lert('xss');%3C/script%3E
claroline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(documen=
t.cookie)%3C/script%3E
[..]
2)10 SQL injections have been found, they could be exploited by users to =
retrieve the passwords of the admin, arbitrary teachers or students.
claroline/learnPath/learningPath.php (3)
claroline/tracking/exercises_details.php
claroline/learnPath/learningPathAdmin.php
claroline/tracking/learnPath_details.php
claroline/user/userInfo.php (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module.php
Examples:
claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT%20username,passwo=
rd,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*
claroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%2=
00,password,username,0,0,0%20from%20user%20where%20user_id=3D1--
[..]
3)Multiple directory traversal vulnerabilities in =
"claroline/document/document.php" and =
"claroline/learnPath/insertMyDoc.php" could allow project administrators =
(teachers) to upload files in arbitrary folders or copy/move/delete =
(then view) files of arbitrary folders by performing directory traversal =
attacks.
4)Four remote file inclusion vulnerabilities have been discovered.
Solution
--------
The Claroline users are urged to update to version 1.54 or 1.6 final:
http://www.claroline.net/download.htm
See also:
http://www.claroline.net/news.php#85
http://www.claroline.net/news.php#86
Timeline
--------
18/04 Vulnerabilities found
22/04 Vendor contacted (quick answer)
25/04 Claroline 1.54 released
26/04 Claroline 1.6 final released
27/04 Users alerted via the mailing list
27/04 Advisory released
French version available here: =
http://fr.zone-h.org/fr/advisories/read/id=3D180/
English version: http://www.zone-h.org/advisories/read/id=3D7472
Zone-H Research Center
http://fr.zone-h.org
Join us on #zone-h @ irc.eu.freenode.net
You can contact the team leader at deepfear@fr.zone-h.org
Thanks to University Montpellier 2.
------=_NextPart_000_001B_01C54B56.DF10D4A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Zone-H Research Center Security =
Advisory=20
200501<BR><A =
href=3D"http://fr.zone-h.org">http://fr.zone-h.org</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Date of release: =
27/04/2005</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Software: Claroline (<A=20
href=3D"http://www.claroline.net">www.claroline.net</A>)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Affected versions: <BR>1.5.3<BR>1.6 =
beta<BR>1.6=20
Release Candidate 1<BR>(probably previous versions too)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Risk: High</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Discovered by:<BR>Kevin Fernandez=20
"Siegfried"<BR>Mehdi Oudad "deepfear"<BR>from the Zone-H Research=20
Team</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Background (from their web=20
site)<BR>----------<BR>Claroline is an Open Source software based on =
PHP/MySQL.=20
It's a collaborative learning environment allowing teachers or education =
institutions to create and administer courses through the =
web.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Description<BR>-----------<BR>Multiple =
Cross site=20
scripting, 10 SQL injection, 7 directory traversal and 4 remote file =
inclusion=20
vulnerabilities have been found in Claroline.</FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>Details<BR>-------</DIV>
<DIV> </DIV>
<DIV>1)Multiple Cross site scripting vulnerabilities have been found in =
the=20
following=20
pages:<BR>claroline/exercice/exercise_result.php<BR>claroline/exercice/ex=
ercice_submit.php<BR>claroline/calendar/myagenda.php<BR>claroline/calenda=
r/agenda.php<BR>claroline/tracking/user_access_details.php<BR>claroline/t=
racking/toolaccess_details.php<BR>claroline/learnPath/learningPathList.ph=
p<BR>claroline/learnPath/learningPathAdmin.php<BR>claroline/learnPath/lea=
rningPath.php<BR>claroline/tracking/userLog.php<BR>[..]</DIV>
<DIV> </DIV>
<DIV>Examples:<BR>claroline/tracking/toolaccess_details.php?tool=3D%3Cscr=
ipt%3Ealert('xss');%3C/script%3E<BR>claroline/tracking/user_access_detail=
s.php?cmd=3Ddoc&data=3D%3Cscript%3Ealert('xss');%3C/script%3E<BR>clar=
oline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(document.co=
okie)%3C/script%3E<BR>[..]</DIV>
<DIV> </DIV>
<DIV>2)10 SQL injections have been found, they could be exploited by =
users to=20
retrieve the passwords of the admin, arbitrary teachers or=20
students.<BR>claroline/learnPath/learningPath.php=20
(3)<BR>claroline/tracking/exercises_details.php<BR>claroline/learnPath/le=
arningPathAdmin.php<BR>claroline/tracking/learnPath_details.php<BR>clarol=
ine/user/userInfo.php=20
(2)<BR>claroline/learnPath/modules_pool.php<BR>claroline/learnPath/module=
.php</DIV>
<DIV> </DIV>
<DIV>Examples:<BR>claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT=
%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*<BR>c=
laroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%20=
0,password,username,0,0,0%20from%20user%20where%20user_id=3D1--<BR>[..]</=
DIV>
<DIV> </DIV>
<DIV>3)Multiple directory traversal vulnerabilities in=20
"claroline/document/document.php" and =
"claroline/learnPath/insertMyDoc.php"=20
could allow project administrators (teachers) to upload files in =
arbitrary=20
folders or copy/move/delete (then view) files of arbitrary folders by =
performing=20
directory traversal attacks.</DIV>
<DIV> </DIV>
<DIV>4)Four remote file inclusion vulnerabilities have been =
discovered.</DIV>
<DIV> </DIV>
<DIV>Solution<BR>--------<BR>The Claroline users are urged to update to =
version=20
1.54 or 1.6 final:<BR><A=20
href=3D"http://www.claroline.net/download.htm">http://www.claroline.net/d=
ownload.htm</A></DIV>
<DIV> </DIV>
<DIV>See also:<BR><A=20
href=3D"http://www.claroline.net/news.php#85">http://www.claroline.net/ne=
ws.php#85</A><BR><A=20
href=3D"http://www.claroline.net/news.php#86">http://www.claroline.net/ne=
ws.php#86</A></DIV>
<DIV> </DIV>
<DIV>Timeline<BR>--------<BR>18/04 Vulnerabilities found<BR>22/04 Vendor =
contacted (quick answer)<BR>25/04 Claroline 1.54 released<BR>26/04 =
Claroline 1.6=20
final released<BR>27/04 Users alerted via the mailing list<BR>27/04 =
Advisory=20
released</DIV>
<DIV> </DIV>
<DIV>French version available here: <A=20
href=3D"http://fr.zone-h.org/fr/advisories/read/id=3D180/">http://fr.zone=
-h.org/fr/advisories/read/id=3D180/</A><BR>English=20
version: <A=20
href=3D"http://www.zone-h.org/advisories/read/id=3D7472">http://www.zone-=
h.org/advisories/read/id=3D7472</A></DIV>
<DIV> </DIV>
<DIV>Zone-H Research Center<BR><A=20
href=3D"http://fr.zone-h.org">http://fr.zone-h.org</A></DIV>
<DIV> </DIV>
<DIV>Join us on #zone-h @ irc.eu.freenode.net</DIV>
<DIV> </DIV>
<DIV>You can contact the team leader at <A=20
href=3D"mailto:deepfear@fr.zone-h.org">deepfear@fr.zone-h.org</A></DIV>
<DIV> </DIV>
<DIV>Thanks to University Montpellier 2.</FONT></DIV></BODY></HTML>
------=_NextPart_000_001B_01C54B56.DF10D4A0--