Claroline 1.7.2, sso identification vulnerability

2006-01-2200:00:00

vulners.com

JSON

hi,
this is what we can read in file "/claroline/inc/claro_init_local.inc.php" :

[…]
$ssoCookieValue = md5( mktime() );

            $sql = &quot;UPDATE &#96;&quot;.$tbl_sso.&quot;&#96;
                    SET cookie    = &#39;&quot;.$ssoCookieValue.&quot;&#39;,
                        rec_time  = NOW&#40;&#41;
                    WHERE user_id = &quot;. &#40;int&#41; $_uid;

            $affectedRowCount = claro_sql_query_affected_rows&#40;$sql&#41;;

            if &#40;$affectedRowCount &lt; 1&#41;
            {
                $sql = &quot;INSERT INTO &#96;&quot;.$tbl_sso.&quot;&#96;
                        SET cookie    = &#39;&quot;.$ssoCookieValue.&quot;&#39;,
                            rec_time  = NOW&#40;&#41;,
                            user_id   = &quot;. &#40;int&#41; $_uid;

                claro_sql_query&#40;$sql&#41;;
            }

           $boolCookie = setcookie&#40;$ssoCookieName, $ssoCookieValue,
                                   $ssoCookieExpireTime,
                                   $ssoCookiePath, $ssoCookieDomain&#41;;

[…]

so, the cookie value must be always unknown.
in this code, the cookie value is the md5 value of the connection time ! really unknown ? no.

solution :
desactivate sso service
or
replace mktime() by rand(100,1000000) (for e.g)

JSON