[VulnWatch] ZRCSA-200501 - Multiple vulnerabilities in Claroline

Zone-H Research Center Security Advisory 200501
http://fr.zone-h.org

Date of release: 27/04/2005

Software: Claroline (www.claroline.net)

Affected versions: 
1.5.3
1.6 beta
1.6 Release Candidate 1
(probably previous versions too)

Risk: High

Discovered by:
Kevin Fernandez "Siegfried"
Mehdi Oudad "deepfear"
from the Zone-H Research Team

Background (from their web site)
----------
Claroline is an Open Source software based on PHP/MySQL. It's a collaborative 
learning environment allowing teachers or education institutions to create and 
administer courses through the web.

Description
-----------
Multiple Cross site scripting, 10 SQL injection, 7 directory traversal and 4 
remote file inclusion vulnerabilities have been found in Claroline.


Details
-------

1)Multiple Cross site scripting vulnerabilities have been found in the 
following pages:
claroline/exercice/exercise_result.php
claroline/exercice/exercice_submit.php
claroline/calendar/myagenda.php
claroline/calendar/agenda.php
claroline/tracking/user_access_details.php
claroline/tracking/toolaccess_details.php
claroline/learnPath/learningPathList.php
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/learningPath.php
claroline/tracking/userLog.php
[..]

Examples:
claroline/tracking/toolaccess_details.php?tool=%3Cscript%3Ealert('xss');%3C/script%3E
claroline/tracking/user_access_details.php?cmd=doc&data=%3Cscript%3Ealert('xss');%3C/script%3E
claroline/calendar/myagenda.php?coursePath=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
[..]

2)10 SQL injections have been found, they could be exploited by users to 
retrieve the passwords of the admin, arbitrary teachers or students.
claroline/learnPath/learningPath.php (3)
claroline/tracking/exercises_details.php
claroline/learnPath/learningPathAdmin.php
claroline/tracking/learnPath_details.php
claroline/user/userInfo.php (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module.php

Examples:
claroline/user/userInfo.php?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/*
claroline/tracking/exercises_details.php?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1--
[..]

3)Multiple directory traversal vulnerabilities in 
"claroline/document/document.php" and "claroline/learnPath/insertMyDoc.php" 
could allow project administrators (teachers) to upload files in arbitrary 
folders or copy/move/delete (then view) files of arbitrary folders by 
performing directory traversal attacks.

4)Four remote file inclusion vulnerabilities have been discovered.

Solution
--------
The Claroline users are urged to update to version 1.54 or 1.6 final:
http://www.claroline.net/download.htm

See also:
http://www.claroline.net/news.php#85
http://www.claroline.net/news.php#86

Timeline
--------
18/04 Vulnerabilities found
22/04 Vendor contacted (quick answer)
25/04 Claroline 1.54 released
26/04 Claroline 1.6 final released
27/04 Users alerted via the mailing list
27/04 Advisory released

French version available here: http://fr.zone-h.org/fr/advisories/read/id=180/
English version: http://www.zone-h.org/advisories/read/id=7472

Zone-H Research Center
http://fr.zone-h.org

Join us on #zone-h @ irc.eu.freenode.net

You can contact the team leader at deepfear@fr.zone-h.org

Thanks to University Montpellier 2.