Vulnerable Systems:
* ILIAS LMS version 3.10.7 and prior
* ILIAS LMS version 3.9.9 and prior
Immune Systems:
* ILIAS LMS version 3.10.8
* ILIAS LMS version 3.9.10
"POST-ITS" issue:
When a user, teacher, admin, alumn, post a new post-its, he could read all post-its in database.
The vuln link would be:
http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0¬e_id=1¬e_type=1& cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI
Changing note_id=1 for other value, for ex. 100, we could read this posts-it. That seems a low risk vuln but, when i tested on-line, ie, against my university and i've got a lot of sensitive information.
"CMD" issue:
Course/group/... calendars:
This would be a normal link:
http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438
But if I change cmd=frameset for cmd=edit:
http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit
I access to information about this group/course/..., and I tried to change it, but i got permission denied...anyway, i can get how it's configured this group/course/...
"CMD" issue:
Course/group/... calendars:
This would be a normal link:
http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438
But if I change cmd=frameset for cmd=edit:
http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit
I access to information about this group/course/..., and I tried to change it, but i got permission denied...anyway, i can get how it's configured this group/course/...
"FAVORITE" issue:
This would be the vuln link:
http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark& cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI
GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link.
User (victim) trusts in these links (He posts them)
Disclosure Timeline:
2009-06-28** ~~~~~> FIRST VULNS DISCOVERED
2009-06-29** ~~~~~> VULN REPORTED TO VENDOR
2009-06-29** ~~~~~> OTHER SECURITY ISSUE DISCOVERED
2009-06-29** ~~~~~> VULN REPORTED TO VENDOR WITH VIDEO AND REPORT
2009-06-30** ~~~~~> VENDOR RESPONSED
2009-06-30** ~~~~~> VENDOR CONFIRMED SECURITY ISSUES
2009-06-30** ~~~~~> VENDOR FIXED SECURITY ISSUES IN SVN FOR 3.9/3.10/Trunk (AND CONFIRMS 3.9 AFFECTED)
2009-06-30** ~~~~~> VENDOR CLARIFIED SECURITY ISSUES: "Confirm that all your exploits work in the latest published official release"
2009-07-01** ~~~~~> VENDOR CONFIRMED NEXT RELEASE WILL CONTAIN THE FIXES
2009-07-01** ~~~~~> I WILL WAIT NEXT RELEASE FOR FULL DISCLOSURE
2009-07-08** ~~~~~> ILIAS LAUNCHED NEW STABLE RELEASE (3.10.8 / 3.9.10)
2009-07-11** ~~~~~> I CONTACTED AGAIN TO SAY A DISCLOSURE DATE, STABLISHED FOR 2009-07-15 (WAIT ONE WEEK AFTER NEW RELEASE...)
2009-07-12** ~~~~~> ILIAS AGREE WITH THIS DATE AND POSTED A LINK FOR CREDITS
2009-07-15** ~~~~~> FULL DISCLOSURE...PUBLISHED ADVISORY.
