== BRIEFING ==
Ilias is a LMS (Learning Management System) created by a german university. It's used by universities, schools and high schools around the world.
This document is the advisory sent to Ilias Security Team, therefore it is written in present time.
Personally, I've worked previously with this team and vulnerabilities was patched in short time, but this release takes almost two months. Anyway, I think that it is a punctual fact.
Examples are tested against my old university. I had already finished XD.
I know that my english is :( but it was enough to help.
Credits given: 4.0.5 Release Notes
TITLE: MULTIPLE VULNERABILITIES IN ILIAS 4.0.3 (2010-01-26)
AUTHOR:JOSÉ A. VÁZQUEZ GONZÁLEZ
IMPACT: COOKIE STEALING AND MORE (MULTIPLE)]
DISCOVERED DATE: 2010-02-19
== DISCLAIMER ==
The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
== FIRST: SIMPLE BUG (NOT INJECTABLE) ==
Risk: Low
Using tag GET var, we could stop comments, but here XSS or HTML INJECTIONS is not possible, this would be a simple BUG.
-> Issue in [BUG]
Fig. 1: Simple bug.
This will be the HTML source code returned:
... --> &#" id="block_pdcontent_0_blimg" /> -->
We use End Comment Tag (-->).
Anyway, html tags are restricted so this isn't exploitable with a HTML or XSS Injection.
== SECOND: XSS O HTML INJECTION (PERSISTENT) ==
Risk: Medium
Edit your profile in -> http://[HOST]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI
Changing Personal Information, setting for Street, City and Country:
XSS by J. A. Vazquez " onmouseover="alert('J.A. Vazquez');//
Save this changes.
Now go to Location --> http://[HOST]/ilias.php?cmd=showLocation&cmdClass=ilpersonalprofilegui&cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI
When you move mouse in input tag, with value: "XSS by J. A. Vazquez", XSS is triggered.
Fig. 2: XSS triggered.
Fig. 2: XSS triggered.
Note: This XSS is persistent, in control event, but this only affects my account. Therefore It's medium Risk.
== THIRD: XSS O HTML INJECTION (PERSISTENT) ==
Risk: High
Again Edit your profile in -> http://[HOST]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI
Changing departament parameter for:
");alert('XSS by J.A. Vazquez');//
Saving changes, we bypass protection in CDATA...
Now we go to Public Profile and set "Departament" as visible.
Then, go to location and set "show in personal profile".
Now if a user visit our profile, he could be owned with xss attack.
For example. Going to --> http://[HOST]/repository.php?ref_id=34153&cmdClass=ilpublicuserprofilegui&user=742&cmd=getHTML&cmdNode=1f:ej:6p
Fig. 3: Direct and Persistent XSS
Note: This XSS could be reproduced using other vars (any of location, for example, city, street or view) (No tested but it's probably). This XSS is persistent and it doesn't need a javascript event for triggering. It's triggered in page load.
== FOURTH: XSS O HTML INJECTION (PERSISTENT) ==
Risk: Medium
Go to bookmark section and create a folder, then set a new bookmark in this folder with:
Title: Nice XSS by J.A. Vazquez
Description: Nice XSS by J.A. Vazquez
URL: aa" onmouseover="alert('Creado por J.A. Vazquez!');
Fig. 4.1: XSS in bookmark. Location 1.
Fig. 4.2: XSS in bookmark. Location 2.
Note: This XSS only affects to own user. It's loaded in a javascript event and it could be reproduced in two different location.
== FIFTH: ARBITRARY SESSION_ID INSERTION ==
Risk: Medium
Plugin Tiny MCE has some vulnerabilities.
Go to here -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=[SESSION_ID]&client_id=docencia
Use [SESSION_ID] your PHPSESSID.
But if session_id is left to nothing, ie -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=&client_id=docencia
You display a MDB2 (MYSQL) ERROR.
Fig. 5.1: SQL Error.
But if we put any value in session_id, this value is stored. I've tried a SQL Injection Attack, but it's not reachable.
Fig. 5.2: Session_id corrupted in DB.
Fig. 5.2: Session_id corrupted in DB.
== SIXTH: DIRECTORY TRAVERSAL VULNERABILITY ==
Risk: High
Plugin Tiny MCE is vulnerable to Directory Traversal.
Go to -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=6&session_id=%&client_id=test_403/../../../&obj_type=frm
Fig. 6: Denial Of Service using DT.
Note: Tested only in localhost because server could be DoSed (Denial Of service). Depends on Script time execution.
Btw, Local File Inclusion (LFI) or Remote File Inclusion (RFI) is not possible) (In this case, "client_id" var is used to load image titles, etc).
== CREDITS ==
Author of this advisory is Independient Security researcher José A. Vázquez Gonzalez. Copyright © 2010 José Antonio Vázquez González.
That's all. Be safe ;)
No hay comentarios:
Publicar un comentario