Vulnerabilities > CVE-2005-1374 - Remote Input Validation vulnerability in Claroline 1.5.3/1.6Beta/1.6Rc1

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
claroline
nessus
exploit available
NVD
Published: 2005-05-03
Updated: 2017-07-11

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to inject arbitrary web script or HTML via (1) exercise_result.php, (2) exercice_submit.php, (3) agenda.php, (4) learningPathList.php, (5) learningPathAdmin.php, (6) learningPath.php, (7) userLog.php, (8) tool parameter to toolaccess_details.php, (9) data parameter to user_access_details.php, or (10) coursePath parameter to myagenda.php.

Vulnerable Configurations

Part Description Count
Application
Claroline
3

Exploit-Db

  • descriptionClaroline 1.5/1.6 myagenda.php coursePath Parameter XSS. CVE-2005-1374. Webapps exploit for php platform
    idEDB-ID:25551
    last seen2016-02-03
    modified2005-04-27
    published2005-04-27
    reporterSieg Fried
    sourcehttps://www.exploit-db.com/download/25551/
    titleClaroline 1.5/1.6 myagenda.php coursePath Parameter XSS
  • descriptionClaroline 1.5/1.6 toolaccess_details.php tool Parameter XSS. CVE-2005-1374. Webapps exploit for php platform
    idEDB-ID:25549
    last seen2016-02-03
    modified2005-04-27
    published2005-04-27
    reporterSieg Fried
    sourcehttps://www.exploit-db.com/download/25549/
    titleClaroline 1.5/1.6 toolaccess_details.php tool Parameter XSS
  • descriptionClaroline 1.5/1.6 user_access_details.php data Parameter XSS. CVE-2005-1374. Webapps exploit for php platform
    idEDB-ID:25550
    last seen2016-02-03
    modified2005-04-27
    published2005-04-27
    reporterSieg Fried
    sourcehttps://www.exploit-db.com/download/25550/
    titleClaroline 1.5/1.6 user_access_details.php data Parameter XSS

Nessus

NASL familyCGI abuses
NASL idCLAROLINE_MULT_VULNS.NASL
descriptionThe version of Claroline (an open source, collaborative learning environment) installed on the remote host suffers from a number of remotely-exploitable vulnerabilities, including: - Multiple Remote File Include Vulnerabilities Four scripts let an attacker read arbitrary files on the remote host and possibly even run arbitrary PHP code, subject to the privileges of the web server user. - Multiple SQL Injection Vulnerabilities Seven scripts let an attacker inject arbitrary input into SQL statements, potentially revealing sensitive data or altering them. - Multiple Cross-Site Scripting Vulnerabilities An attacker can pass arbitrary HTML and script code through any of 10 flawed scripts and potentially have that code executed by a user
last seen2020-06-01
modified2020-06-02
plugin id18165
published2005-04-29
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18165
titleClaroline < 1.5.4 / 1.6.0 Multiple Vulnerabilities (RFI, SQLi, XSS, Traversal)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(18165);
  script_version("1.21");

  script_cve_id(
    "CVE-2005-1374", 
    "CVE-2005-1375", 
    "CVE-2005-1376", 
    "CVE-2005-1377"
  );
  script_bugtraq_id(13407);

  script_name(english:"Claroline < 1.5.4 / 1.6.0 Multiple Vulnerabilities (RFI, SQLi, XSS, Traversal)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to a
variety of attacks." );
 script_set_attribute(attribute:"description", value:
"The version of Claroline (an open source, collaborative learning
environment) installed on the remote host suffers from a number of
remotely-exploitable vulnerabilities, including:

  - Multiple Remote File Include Vulnerabilities
    Four scripts let an attacker read arbitrary files on the 
    remote host and possibly even run arbitrary PHP code, 
    subject to the privileges of the web server user.

  - Multiple SQL Injection Vulnerabilities
    Seven scripts let an attacker inject arbitrary input
    into SQL statements, potentially revealing sensitive
    data or altering them.

  - Multiple Cross-Site Scripting Vulnerabilities
    An attacker can pass arbitrary HTML and script code
    through any of 10 flawed scripts and potentially have
    that code executed by a user's browser in the context 
    of the affected website.

  - Multiple Directory Traversal Vulnerabilities
    By exploiting flaws in 'claroline/document/document.php' 
    and 'claroline/learnPath/insertMyDoc.php', project leaders
    (teachers) are able to upload files to arbitrary folders 
    or copy/move/delete (then view) files of arbitrary folders." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d5e500e" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Claroline version 1.5.4 / 1.6.0 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/27");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for multiple input validation vulnerabilities in Claroline < 1.5.4 / 1.6.0";

  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("claroline_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/claroline");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);

# Test an install.
install = get_kb_item(string("www/", port, "/claroline"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
  dir = matches[2];

  # Check for the vulnerability by trying to grab a file.
  r = http_send_recv3(method:"GET", port: port,
    item:string(
      dir, "/claroline/inc/claro_init_header.inc.php?",
      "includePath=/etc/passwd%00"));
  if (isnull(r)) exit(0);
  res = r[2];

  # It's a problem if there's an entry for root.
  if (egrep(string:res, pattern:"root:.+:0:")) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}

References