188 lines
8.7 KiB
Text
Executable file
188 lines
8.7 KiB
Text
Executable file
Document Title:
|
|
===============
|
|
Olat CMS 7.8.0.1 - Persistent Calender Web Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1125
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-10-27
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1125
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
4.1
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
OLAT is an open source Learning Management System offering a flexible online course system along with extensive
|
|
features to guarantee learning and teaching independent of time and place. It has been created especially for
|
|
public institutions such as universities, academies or colleges, however, it is also suitable for other businesses
|
|
since OLAT can easily represent any didactic concept or be used in any kind of learning environment.
|
|
|
|
(Copy of the Vendor Homepage: http://www.olat.org/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the Olat v7.8.0.1 CMS.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-10-27: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Olat
|
|
Product: Content Management System 7.8.0.1 (b20130821 N1)
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Medium
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A persistent input validation web vulnerability is detected in the Olat Content Management System v7.8.0.1 (b20130821-N1) web-application.
|
|
The web vulnerability allows remote attackers to implement/inject own malicious script codes on application side of the online-service.
|
|
|
|
The persistent web vulnerability is located in the `Calender` module. Remote attackers are able inject malicious script codes
|
|
via POST method request in the event name (o2cl) parameters of the calender service. The script code executes in the main calender
|
|
index. Attacker can also share the calender event by using the public function to stream the code to all other users and administrators.
|
|
|
|
Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application user account.
|
|
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent
|
|
web attacks, persistent phishing or persistent module context manipulation.
|
|
|
|
Request Method(s):
|
|
[+] [POST]
|
|
|
|
Vulnerable Module(s):
|
|
[+] Calender
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] event name (o2cl)
|
|
|
|
Affected Module(s):
|
|
[+] Calender Index - Event
|
|
[+] Home Index - Events
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and
|
|
only indirect user interaction (page visit). For demonstration or reproduce ...
|
|
|
|
Manual steps to reproduce ...
|
|
1. Install the CMS and login with your low privileged application user account
|
|
2. Open the calender, switch to event and add a new one
|
|
3. Inject your own malicious test script code to the event name & date input fields
|
|
4. Click the public event button and save the input to reload the edit site
|
|
5. The malicious test context executes in the index module of the calender
|
|
6. Click the home button and switch on the right site to the calender events
|
|
7. The malicious test code will be visible to all users in the same group or to the administrators
|
|
8. Successful reproduced ...!
|
|
|
|
|
|
PoC: Event Calender Index
|
|
|
|
<div id=``o_cal_wv_daylong`` style=``height: 20px;``><div class=``o_cal_wv_time o_cal_wv_row0`` style=``height: 100%;``></div>
|
|
<div class=``o_cal_wv_dlday o_cal_wv_row1 o_cal_wv_holiday`` style=``height: 100%;``></div><div class=``o_cal_wv_dlday o_cal_wv_row2``
|
|
style=``height: 100%;``></div><div class=``o_cal_wv_dlday o_cal_wv_row3`` style=``height: 100%;``></div>
|
|
<div class=``o_cal_wv_dlday o_cal_wv_row4`` style=``height: 100%;``></div><div class=``o_cal_wv_dlday o_cal_wv_row5``
|
|
style=``height: 100%;``><div class=``o_cal_wv_devent_wrapper``><div class=``o_cal_wv_devent o_cal_blue``>
|
|
<div class=``o_cal_wv_devent_content``><a href=``/olat/auth/1%3A3%3A1002014393%3A5%3A1%3Acmd%3Aedt%3Ap%3Aadmin_en%C2%A7myolat_
|
|
1_88496073986542%C2%A71382565600000/``
|
|
target=``oaa0`` onclick=``return o2cl();``>><[PERSISTENT INJECTED SCRIPT CODE!];@gmail.com</a><div class=``o_cal_links``></div></div>
|
|
<div class=``o_cal_wv_event_tooltip o_cal_allday``><div class=``o_cal_time``>Thursday, October 24, 2013</div>
|
|
<div class=``o_cal_wv_event_tooltip_content``>><[PERSISTENT INJECTED SCRIPT CODE!]</div>
|
|
|
|
URL: http://olat.localhost:8080/olat/dmz/1%3A2%3A1002010697%3A2%3A0%3Aofo_%3Afid/?o_winrndo=1
|
|
|
|
|
|
|
|
PoC: Dashboard - Calender
|
|
|
|
<div id=``o_c1002040024``><form method=``post`` name=``tb_ms_375920232`` action=``/olat/auth/1%3A3%3A1002040024%3A1%3A1/``
|
|
id=``tb_ms_375920232`` target=``oaa0`` onsubmit=``o_beforeserver();``><div class=``b_overflowscrollbox``
|
|
id=``b_overflowscrollbox_375920232``><table id=``b_table375920232``><tbody><tr class=`` b_first_child
|
|
b_last_child``><td class=``b_align_normal b_first_child``><a name=``b_table``></a>All day today</td>
|
|
<td class=``b_align_normal b_last_child``><a href=``/olat/auth/1%3A3%3A1002040024%3A1%3A1%3Ar%3A0%3Ap%3Acmd.launch/``
|
|
onclick=``return o2cl()`` target=``oaa0``>><[PERSISTENT INJECTED SCRIPT CODE!]...</a``></td></tr></tbody></table></div>
|
|
<div class=``b_table_buttons``></div><input type=``hidden`` name=``cmd`` value=```` /><input type=``hidden`` name=``param`` value=```` /></form></div>
|
|
</div></div></div></div></div></div></div>
|
|
|
|
URL: http://olat.localhost:8080/olat/dmz/1%3A2%3A1002010697%3A2%3A0%3Aofo_%3Afid/
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The vulnerability can be patched by a secure encode and parse of the events calender name parameter.
|
|
Parse also the output section in the main home events listing (right bottom) and encode the calender index name list.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the persistent post inject web vulnerability is estimated as medium(+).
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|