|
--------------------------------------------------------------------------------------=0D
MULTIPLE ARBITRARY INFORMATION DISCLOSURE AND EDITION --ILIAS LMS <= 3.10.7/3.9.9-->=0D
--------------------------------------------------------------------------------------=0D
=0D
CMS INFORMATION:=0D
=0D
-->WEB: http://www.ilias.de/=0D
-->DOWNLOAD: http://www.ilias.de/docu/goto.php?target=st_229_35&client_id=docu=0D
-->DEMO: http://www.demo.ilias-support.com/=0D
-->CATEGORY: LMS/Education=0D
-->DESCRIPTION: ILIAS is a powerful web-based learning management system that allows you=0D
to easily manage learning resources in an integrated system.=0D
-->RELEASED: 2009-06-22=0D
=0D
CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3=0D
-->DORK: "powered by ILIAS"=0D
-->CATEGORY: ARBITRARY INFORMATION EDITION/DISCLOSURE=0D
-->AFFECT VERSION: 3.10.7/3.9.9=0D
-->Discovered Bug date: 2009-06-28=0D
-->Reported Bug date: 2009-06-28=0D
-->Fixed bug date: 2009-06-30=0D
-->Info patch (3.10.8/3.9.10): http://www.ilias.de/docu/goto.php?target=st_229_35=0D
&client_id=docu=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: YEnH4ckEr <--<3--> Marijose.=0D
I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^=0D
=0D
=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>>=0D
=0D
=0D
=0D
I used my own account in my university...sorry for testing :P=0D
=0D
=0D
=0D
#################################=0D
/////////////////////////////////=0D
=0D
ARBITRARY INFORMATION DISCLOSURE=0D
=0D
/////////////////////////////////=0D
#################################=0D
=0D
=0D
=0D
-------------------=0D
-------------------=0D
=0D
"POST-ITS" ISSUE:=0D
=0D
-------------------=0D
-------------------=0D
=0D
=0D
=0D
When a user, teacher, admin, alumn, post a new post-its,=0D
he could read all post-its in database.=0D
=0D
The vuln link would be:=0D
=0D
http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0¬e_id=1¬e_type=1&cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI=0D
=0D
=0D
Changing note_id=1 for other value, for ex. 100, we could=0D
read this posts-it.=0D
=0D
That seems a low risk vuln but, when i tested on-line, ie,=0D
against my university and i've got a lot of sensitive information.=0D
=0D
=0D
=0D
-------------------=0D
-------------------=0D
=0D
"CMD" ISSUE:=0D
=0D
-------------------=0D
-------------------=0D
=0D
=0D
=0D
Course/group/... calendars:=0D
=0D
This would be a normal link:=0D
=0D
=0D
http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438=0D
=0D
=0D
But if I change cmd=frameset for cmd=edit:=0D
=0D
=0D
http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit=0D
=0D
=0D
I access to information about this group/course/..., and I tried to=0D
change it, but i got permission denied...anyway, i=0D
can get how it's configured this group/course/...=0D
=0D
=0D
=0D
-------------------=0D
-------------------=0D
=0D
"CALENDAR" ISSUE:=0D
=0D
-------------------=0D
-------------------=0D
=0D
=0D
=0D
http://[HOST]/[PATH]/ilias.php?seed=2009-06-28&category_id=847&calendar_mode=2&cmd=edit&cmdClass=ilcalendarcategorygui&cmdNode=6&baseClass=ilPersonalDesktopGUI=0D
=0D
=0D
Changing category_id, it shows sensitive information about=0D
any course/group/...=0D
=0D
Personal and global calendars are secure.=0D
=0D
=0D
=0D
#########################################=0D
/////////////////////////////////////////=0D
=0D
ARBITRARY INFORMATION DISCLOSURE/EDITION=0D
=0D
/////////////////////////////////////////=0D
#########################################=0D
=0D
=0D
=0D
This module (favorite) allows to get a repository of favorite links=0D
=0D
=0D
=0D
-------------------=0D
-------------------=0D
=0D
"FAVORITE" ISSUE:=0D
=0D
-------------------=0D
-------------------=0D
=0D
=0D
This would be the vuln link:=0D
=0D
=0D
http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark&cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI=0D
=0D
=0D
GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link.=0D
=0D
=0D
User (victim) trusts in these links (He posts them)=0D
=0D
=0D
=0D
############=0D
////////////=0D
=0D
VIDEOS DEMO=0D
=0D
////////////=0D
############=0D
=0D
=0D
=0D
ARBITRARY INFORMATION DISCLOSURE AND EDITION ("FAVORITES") --> http://www.youtube.com/watch?v=i6D6UVR0358=0D
=0D
ARBITRARY INFORMATION DISCLOSURE ("POST-ITS") --> http://www.youtube.com/watch?v=eSPp1dswe1E=0D
=0D
=0D
=0D
####################=0D
////////////////////=0D
=0D
DISCLOSURE TIMELINE=0D
=0D
////////////////////=0D
####################=0D
=0D
=0D
=0D
=0D
**2009-06-28** ~~~~~> FIRST VULNS DISCOVERED=0D
=0D
**2009-06-29** ~~~~~> VULN REPORTED TO VENDOR=0D
=0D
**2009-06-29** ~~~~~> OTHER SECURITY ISSUE DISCOVERED=0D
=0D
**2009-06-29** ~~~~~> VULN REPORTED TO VENDOR WITH VIDEO AND REPORT=0D
=0D
**2009-06-30** ~~~~~> VENDOR RESPONSED=0D
=0D
**2009-06-30** ~~~~~> VENDOR CONFIRMED SECURITY ISSUES=0D
=0D
**2009-06-30** ~~~~~> VENDOR FIXED SECURITY ISSUES IN SVN FOR 3.9/3.10/Trunk (AND CONFIRMS 3.9 AFFECTED)=0D
=0D
**2009-06-30** ~~~~~> VENDOR CLARIFIED SECURITY ISSUES: "Confirm that all your exploits work in the latest published official release"=0D
=0D
**2009-07-01** ~~~~~> VENDOR CONFIRMED NEXT RELEASE WILL CONTAIN THE FIXES=0D
=0D
**2009-07-01** ~~~~~> I WILL WAIT NEXT RELEASE FOR FULL DISCLOSURE=0D
=0D
**2009-07-08** ~~~~~> ILIAS LAUNCHED NEW STABLE RELEASE (3.10.8 / 3.9.10)=0D
=0D
**2009-07-11** ~~~~~> I CONTACTED AGAIN TO SAY A DISCLOSURE DATE, STABLISHED FOR 2009-07-15 (WAIT ONE WEEK AFTER NEW RELEASE...)=0D
=0D
**2009-07-12** ~~~~~> ILIAS AGREE WITH THIS DATE AND POSTED A LINK FOR CREDITS=0D
=0D
**2009-07-15** ~~~~~> FULL DISCLOSURE...PUBLISHED ADVISORY.=0D
=0D
=0D
=0D
=0D
=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
## GREETZ TO: SPANISH H4ck3Rs community! ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################