186 lines
No EOL
8.5 KiB
Text
186 lines
No EOL
8.5 KiB
Text
Document Title:
|
||
===============
|
||
Olat CMS 7.8.0.1 - Persistent Calender Web Vulnerability
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1125
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2013-10-27
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1125
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
4.1
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
OLAT is an open source Learning Management System offering a flexible online course system along with extensive
|
||
features to guarantee learning and teaching independent of time and place. It has been created especially for
|
||
public institutions such as universities, academies or colleges, however, it is also suitable for other businesses
|
||
since OLAT can easily represent any didactic concept or be used in any kind of learning environment.
|
||
|
||
(Copy of the Vendor Homepage: http://www.olat.org/ )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the Olat v7.8.0.1 CMS.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2013-10-27: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
Olat
|
||
Product: Content Management System 7.8.0.1 (b20130821 N1)
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
Medium
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
A persistent input validation web vulnerability is detected in the Olat Content Management System v7.8.0.1 (b20130821-N1) web-application.
|
||
The web vulnerability allows remote attackers to implement/inject own malicious script codes on application side of the online-service.
|
||
|
||
The persistent web vulnerability is located in the `Calender` module. Remote attackers are able inject malicious script codes
|
||
via POST method request in the event name (o2cl) parameters of the calender service. The script code executes in the main calender
|
||
index. Attacker can also share the calender event by using the public function to stream the code to all other users and administrators.
|
||
|
||
Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application user account.
|
||
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent
|
||
web attacks, persistent phishing or persistent module context manipulation.
|
||
|
||
Request Method(s):
|
||
[+] [POST]
|
||
|
||
Vulnerable Module(s):
|
||
[+] Calender
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] event name (o2cl)
|
||
|
||
Affected Module(s):
|
||
[+] Calender Index - Event
|
||
[+] Home Index - Events
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and
|
||
only indirect user interaction (page visit). For demonstration or reproduce ...
|
||
|
||
Manual steps to reproduce ...
|
||
1. Install the CMS and login with your low privileged application user account
|
||
2. Open the calender, switch to event and add a new one
|
||
3. Inject your own malicious test script code to the event name & date input fields
|
||
4. Click the public event button and save the input to reload the edit site
|
||
5. The malicious test context executes in the index module of the calender
|
||
6. Click the home button and switch on the right site to the calender events
|
||
7. The malicious test code will be visible to all users in the same group or to the administrators
|
||
8. Successful reproduced ...!
|
||
|
||
|
||
PoC: Event Calender Index
|
||
|
||
<div id=``o_cal_wv_daylong`` style=``height: 20px;``><div class=``o_cal_wv_time o_cal_wv_row0`` style=``height: 100%;``></div>
|
||
<div class=``o_cal_wv_dlday o_cal_wv_row1 o_cal_wv_holiday`` style=``height: 100%;``></div><div class=``o_cal_wv_dlday o_cal_wv_row2``
|
||
style=``height: 100%;``></div><div class=``o_cal_wv_dlday o_cal_wv_row3`` style=``height: 100%;``></div>
|
||
<div class=``o_cal_wv_dlday o_cal_wv_row4`` style=``height: 100%;``></div><div class=``o_cal_wv_dlday o_cal_wv_row5``
|
||
style=``height: 100%;``><div class=``o_cal_wv_devent_wrapper``><div class=``o_cal_wv_devent o_cal_blue``>
|
||
<div class=``o_cal_wv_devent_content``><a href=``/olat/auth/1%3A3%3A1002014393%3A5%3A1%3Acmd%3Aedt%3Ap%3Aadmin_en%C2%A7myolat_
|
||
1_88496073986542%C2%A71382565600000/``
|
||
target=``oaa0`` onclick=``return o2cl();``>><[PERSISTENT INJECTED SCRIPT CODE!];@gmail.com</a><div class=``o_cal_links``></div></div>
|
||
<div class=``o_cal_wv_event_tooltip o_cal_allday``><div class=``o_cal_time``>Thursday, October 24, 2013</div>
|
||
<div class=``o_cal_wv_event_tooltip_content``>><[PERSISTENT INJECTED SCRIPT CODE!]</div>
|
||
|
||
URL: http://olat.localhost:8080/olat/dmz/1%3A2%3A1002010697%3A2%3A0%3Aofo_%3Afid/?o_winrndo=1
|
||
|
||
|
||
|
||
PoC: Dashboard - Calender
|
||
|
||
<div id=``o_c1002040024``><form method=``post`` name=``tb_ms_375920232`` action=``/olat/auth/1%3A3%3A1002040024%3A1%3A1/``
|
||
id=``tb_ms_375920232`` target=``oaa0`` onsubmit=``o_beforeserver();``><div class=``b_overflowscrollbox``
|
||
id=``b_overflowscrollbox_375920232``><table id=``b_table375920232``><tbody><tr class=`` b_first_child
|
||
b_last_child``><td class=``b_align_normal b_first_child``><a name=``b_table``></a>All day today</td>
|
||
<td class=``b_align_normal b_last_child``><a href=``/olat/auth/1%3A3%3A1002040024%3A1%3A1%3Ar%3A0%3Ap%3Acmd.launch/``
|
||
onclick=``return o2cl()`` target=``oaa0``>><[PERSISTENT INJECTED SCRIPT CODE!]...</a``></td></tr></tbody></table></div>
|
||
<div class=``b_table_buttons``></div><input type=``hidden`` name=``cmd`` value=```` /><input type=``hidden`` name=``param`` value=```` /></form></div>
|
||
</div></div></div></div></div></div></div>
|
||
|
||
URL: http://olat.localhost:8080/olat/dmz/1%3A2%3A1002010697%3A2%3A0%3Aofo_%3Afid/
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
The vulnerability can be patched by a secure encode and parse of the events calender name parameter.
|
||
Parse also the output section in the main home events listing (right bottom) and encode the calender index name list.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
The security risk of the persistent post inject web vulnerability is estimated as medium(+).
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |