Vulnerabilities > CVE-2005-1375 - Remote Input Validation vulnerability in Claroline 1.5.3/1.6Beta/1.6Rc1

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
claroline
nessus
exploit available
NVD
Published: 2005-05-03
Updated: 2017-07-11

Summary

Multiple SQL injection vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary SQL commands via (1) learningPath.php, (2) learningPathAdmin.php, (3) learnPath_details.php, (4) modules_pool.php, (5) module.php, (6) uInfo parameter in userInfo.php, or (7) exo_id parameter to exercises_details.php.

Vulnerable Configurations

Part Description Count
Application
Claroline
3

Exploit-Db

  • descriptionClaroline 1.5/1.6 exercises_details.php exo_id Parameter SQL Injection. CVE-2005-1375. Webapps exploit for php platform
    idEDB-ID:25553
    last seen2016-02-03
    modified2005-04-27
    published2005-04-27
    reporterSieg Fried
    sourcehttps://www.exploit-db.com/download/25553/
    titleClaroline 1.5/1.6 exercises_details.php exo_id Parameter SQL Injection
  • descriptionClaroline e-Learning <= 1.6 Remote Hash SQL Injection Exploit. CVE-2005-1375. Webapps exploit for php platform
    idEDB-ID:1052
    last seen2016-01-31
    modified2005-06-17
    published2005-06-17
    reportermh_p0rtal
    sourcehttps://www.exploit-db.com/download/1052/
    titleClaroline e-Learning <= 1.6 - Remote Hash SQL Injection Exploit

Nessus

NASL familyCGI abuses
NASL idCLAROLINE_MULT_VULNS.NASL
descriptionThe version of Claroline (an open source, collaborative learning environment) installed on the remote host suffers from a number of remotely-exploitable vulnerabilities, including: - Multiple Remote File Include Vulnerabilities Four scripts let an attacker read arbitrary files on the remote host and possibly even run arbitrary PHP code, subject to the privileges of the web server user. - Multiple SQL Injection Vulnerabilities Seven scripts let an attacker inject arbitrary input into SQL statements, potentially revealing sensitive data or altering them. - Multiple Cross-Site Scripting Vulnerabilities An attacker can pass arbitrary HTML and script code through any of 10 flawed scripts and potentially have that code executed by a user
last seen2020-06-01
modified2020-06-02
plugin id18165
published2005-04-29
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18165
titleClaroline < 1.5.4 / 1.6.0 Multiple Vulnerabilities (RFI, SQLi, XSS, Traversal)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(18165);
  script_version("1.21");

  script_cve_id(
    "CVE-2005-1374", 
    "CVE-2005-1375", 
    "CVE-2005-1376", 
    "CVE-2005-1377"
  );
  script_bugtraq_id(13407);

  script_name(english:"Claroline < 1.5.4 / 1.6.0 Multiple Vulnerabilities (RFI, SQLi, XSS, Traversal)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to a
variety of attacks." );
 script_set_attribute(attribute:"description", value:
"The version of Claroline (an open source, collaborative learning
environment) installed on the remote host suffers from a number of
remotely-exploitable vulnerabilities, including:

  - Multiple Remote File Include Vulnerabilities
    Four scripts let an attacker read arbitrary files on the 
    remote host and possibly even run arbitrary PHP code, 
    subject to the privileges of the web server user.

  - Multiple SQL Injection Vulnerabilities
    Seven scripts let an attacker inject arbitrary input
    into SQL statements, potentially revealing sensitive
    data or altering them.

  - Multiple Cross-Site Scripting Vulnerabilities
    An attacker can pass arbitrary HTML and script code
    through any of 10 flawed scripts and potentially have
    that code executed by a user's browser in the context 
    of the affected website.

  - Multiple Directory Traversal Vulnerabilities
    By exploiting flaws in 'claroline/document/document.php' 
    and 'claroline/learnPath/insertMyDoc.php', project leaders
    (teachers) are able to upload files to arbitrary folders 
    or copy/move/delete (then view) files of arbitrary folders." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d5e500e" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Claroline version 1.5.4 / 1.6.0 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/27");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for multiple input validation vulnerabilities in Claroline < 1.5.4 / 1.6.0";

  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("claroline_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/claroline");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);

# Test an install.
install = get_kb_item(string("www/", port, "/claroline"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
  dir = matches[2];

  # Check for the vulnerability by trying to grab a file.
  r = http_send_recv3(method:"GET", port: port,
    item:string(
      dir, "/claroline/inc/claro_init_header.inc.php?",
      "includePath=/etc/passwd%00"));
  if (isnull(r)) exit(0);
  res = r[2];

  # It's a problem if there's an entry for root.
  if (egrep(string:res, pattern:"root:.+:0:")) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}

References