Zone-H Research Center Security = Advisory=20 200501
http://fr.zone-h.org

Date of release: = 27/04/2005

Software: Claroline (www.claroline.net)

Affected versions:
1.5.3
1.6 = beta
1.6=20 Release Candidate 1
(probably previous versions too)

Discovered by:
Kevin Fernandez=20 "Siegfried"
Mehdi Oudad "deepfear"
from the Zone-H Research=20 Team

Background (from their web=20 site)
----------
Claroline is an Open Source software based on = PHP/MySQL.=20 It's a collaborative learning environment allowing teachers or education = institutions to create and administer courses through the = web.

Description
-----------
Multiple = Cross site=20 scripting, 10 SQL injection, 7 directory traversal and 4 remote file = inclusion=20 vulnerabilities have been found in Claroline.

1)Multiple Cross site scripting vulnerabilities have been found in = the=20 following=20 pages:
claroline/exercice/exercise_result.php
claroline/exercice/ex= ercice_submit.php
claroline/calendar/myagenda.php
claroline/calenda= r/agenda.php
claroline/tracking/user_access_details.php
claroline/t= racking/toolaccess_details.php
claroline/learnPath/learningPathList.ph= p
claroline/learnPath/learningPathAdmin.php
claroline/learnPath/lea= rningPath.php
claroline/tracking/userLog.php
[..]

Examples:
claroline/tracking/toolaccess_details.php?tool=3D%3Cscr= ipt%3Ealert('xss');%3C/script%3E
claroline/tracking/user_access_detail= s.php?cmd=3Ddoc&data=3D%3Cscript%3Ealert('xss');%3C/script%3E
clar= oline/calendar/myagenda.php?coursePath=3D%3E%3Cscript%3Ealert(document.co= okie)%3C/script%3E
[..]

2)10 SQL injections have been found, they could be exploited by = users to=20 retrieve the passwords of the admin, arbitrary teachers or=20 students.
claroline/learnPath/learningPath.php=20 (3)
claroline/tracking/exercises_details.php
claroline/learnPath/le= arningPathAdmin.php
claroline/tracking/learnPath_details.php
clarol= ine/user/userInfo.php=20 (2)
claroline/learnPath/modules_pool.php
claroline/learnPath/module= .php

Examples:
claroline/user/userInfo.php?uInfo=3D-1%20UNION%20SELECT= %20username,password,0,0,0,0,0%20from%20user%20where%20user_id=3D1/*
c= laroline/tracking/exercises_details.php?exo_id=3D-1/**/UNION/**/SELECT%20= 0,password,username,0,0,0%20from%20user%20where%20user_id=3D1--
[..]

3)Multiple directory traversal vulnerabilities in=20 "claroline/document/document.php" and = "claroline/learnPath/insertMyDoc.php"=20 could allow project administrators (teachers) to upload files in = arbitrary=20 folders or copy/move/delete (then view) files of arbitrary folders by = performing=20 directory traversal attacks.

4)Four remote file inclusion vulnerabilities have been = discovered.

Solution
--------
The Claroline users are urged to update to = version=20 1.54 or 1.6 final:
http://www.claroline.net/d= ownload.htm

See also:
http://www.claroline.net/ne= ws.php#85
http://www.claroline.net/ne= ws.php#86

Timeline
--------
18/04 Vulnerabilities found
22/04 Vendor = contacted (quick answer)
25/04 Claroline 1.54 released
26/04 = Claroline 1.6=20 final released
27/04 Users alerted via the mailing list
27/04 = Advisory=20 released

French version available here: http://fr.zone= -h.org/fr/advisories/read/id=3D180/
English=20 version: http://www.zone-= h.org/advisories/read/id=3D7472

Zone-H Research Center
http://fr.zone-h.org

Join us on #zone-h @ irc.eu.freenode.net

You can contact the team leader at deepfear@fr.zone-h.org

Thanks to University Montpellier 2.

------=_NextPart_000_001B_01C54B56.DF10D4A0--