== BRIEFING ==
Ilias is a LMS (Learning Management System) created by a german university. It's used by universities, schools and high schools around the world.
This document is the advisory sent to Ilias Security Team, therefore it is written in present time.
Personally, I've worked previously with this team and vulnerabilities was patched in short time, but this release takes almost two months. Anyway, I think that it is a punctual fact.
Examples are tested against my old university. I had already finished XD.
I know that my english is :( but it was enough to help.
Credits given: 4.0.5 Release Notes
TITLE: MULTIPLE VULNERABILITIES IN ILIAS 4.0.3 (2010-01-26)
AUTHOR:JOSÉ A. VÁZQUEZ GONZÁLEZ
IMPACT: COOKIE STEALING AND MORE (MULTIPLE)]
DISCOVERED DATE: 2010-02-19
== DISCLAIMER ==
The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
== FIRST: SIMPLE BUG (NOT INJECTABLE) ==
Using tag GET var, we could stop comments, but here XSS or HTML INJECTIONS is not possible, this would be a simple BUG.
Go to --> http://[HOST]/ilias.php?col_side=right&block_type=pdtag&tag=[BUG]&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI
-> Issue in [BUG]
Example -> http://[HOST]/docencia/ilias.php?col_side=right&block_type=pdtag&tag=--%3E%20%26%23%3C&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI
This will be the HTML source code returned:
... --> &#" id="block_pdcontent_0_blimg" /> -->
We use End Comment Tag (-->).
Anyway, html tags are restricted so this isn't exploitable with a HTML or XSS Injection.
== SECOND: XSS O HTML INJECTION (PERSISTENT) ==
Edit your profile in -> http://[HOST]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI
Changing Personal Information, setting for Street, City and Country:
XSS by J. A. Vazquez " onmouseover="alert('J.A. Vazquez');//
Save this changes.
Now go to Location --> http://[HOST]/ilias.php?cmd=showLocation&cmdClass=ilpersonalprofilegui&cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI
When you move mouse in input tag, with value: "XSS by J. A. Vazquez", XSS is triggered.
Note: This XSS is persistent, in control event, but this only affects my account. Therefore It's medium Risk.
== THIRD: XSS O HTML INJECTION (PERSISTENT) ==
Again Edit your profile in -> http://[HOST]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI
Changing departament parameter for:
");alert('XSS by J.A. Vazquez');//
Saving changes, we bypass protection in CDATA...
Now we go to Public Profile and set "Departament" as visible.
Then, go to location and set "show in personal profile".
Now if a user visit our profile, he could be owned with xss attack.
For example. Going to --> http://[HOST]/repository.php?ref_id=34153&cmdClass=ilpublicuserprofilegui&user=742&cmd=getHTML&cmdNode=1f:ej:6p
== FOURTH: XSS O HTML INJECTION (PERSISTENT) ==
Go to bookmark section and create a folder, then set a new bookmark in this folder with:
Title: Nice XSS by J.A. Vazquez
Description: Nice XSS by J.A. Vazquez
URL: aa" onmouseover="alert('Creado por J.A. Vazquez!');
== FIFTH: ARBITRARY SESSION_ID INSERTION ==
Plugin Tiny MCE has some vulnerabilities.
Go to here -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=[SESSION_ID]&client_id=docencia
Use [SESSION_ID] your PHPSESSID.
But if session_id is left to nothing, ie -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=&client_id=docencia
You display a MDB2 (MYSQL) ERROR.
But if we put any value in session_id, this value is stored. I've tried a SQL Injection Attack, but it's not reachable.
== SIXTH: DIRECTORY TRAVERSAL VULNERABILITY ==
Plugin Tiny MCE is vulnerable to Directory Traversal.
Go to -> http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=6&session_id=%&client_id=test_403/../../../&obj_type=frm
Note: Tested only in localhost because server could be DoSed (Denial Of service). Depends on Script time execution.
Btw, Local File Inclusion (LFI) or Remote File Inclusion (RFI) is not possible) (In this case, "client_id" var is used to load image titles, etc).
== CREDITS ==
Author of this advisory is Independient Security researcher José A. Vázquez Gonzalez. Copyright © 2010 José Antonio Vázquez González.
That's all. Be safe ;)