HTB23179: Claroline 1.11.8 multiple cross-site scripting (XSS)

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Claroline version 1.11.8, which can be exploited to perform Cross-Site Scripting (XSS) attacks against vulnerable web application visitors and administrators.

Cross-Site Scripting (XSS) in Claroline: CVE-2013-6267
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "box" HTTP GET parameter passed to "/claroline/messaging/messagebox.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "ImmuniWeb" word:
http://[host]/claroline/messaging/messagebox.php?box=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C /script%3E

1.2 The vulnerability exists due to insufficient filtration of user-supplied data in "cidToEdit" HTTP GET parameter passed to "/claroline/admin/adminregisteruser.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/adminregisteruser.php?cidToEdit=94102_001%22%3E%3Cscript%3Ealert%28%27 imuniweb%27%29;%3C/script%3E

1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data in "cidToEdit" HTTP GET parameter passed to "/claroline/admin/admin_user_course_settings.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/admin_user_course_settings.php?ccfrom=culist&cidToEdit=94102%22%3E%3Cs cript%3Ealert%28%27imuniweb%27%29;%3C/script%3E&uidToEdit=1

1.4 The vulnerability exists due to insufficient sanitisation of user-supplied data in "module_id" HTTP GET parameter passed to "/claroline/admin/module/module.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/module/module.php?module_id=4%22%3E%3Cscript%3Ealert%28%27imuniweb%27% 29;%3C/script%3E

1.5 The vulnerability exists due to insufficient sanitisation of user-supplied data in "offset" HTTP GET parameter passed to "/claroline/admin/right/profile_list.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/claroline/admin/right/profile_list.php?cmd=exLock&offset=0%22%3E%3Cscript%3Ealert%28%2 7imuniweb%27%29;%3C/script%3E

Solution: Update to Claroline 1.11.9

References:

1. High-Tech Bridge Advisory HTB23179 - Multiple Cross-Site Scripting (XSS) in Claroline.
2. Claroline - Claroline is an Open Source software to easily deploy a platform for learning and collaboration online.

HTB23181: SQL Injection in Dokeos

High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos version 2.2RC, which can be exploited to perform SQL Injection attacks.

SQL Injection in Dokeos 2.2RC: CVE-2013-6341
The vulnerability exists due to insufficient validation of "language" HTTP GET parameter passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database and gain complete control over the vulnerable web application.

The following exploitation example displays version of MySQL server:

http://[host]/index.php?language=0%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8%20--%202

Solution: Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip

References:

1. High-Tech Bridge Advisory HTB23181 - SQL Injection in Dokeos.
2. Dokeos - the flexible, enterprise-ready e-learning software.

HTB23182: Chamilo LMS SQL injection SQLi

Chamilo LMS version 1.9.6 is vulnerable to perform SQL injection attacks, discovered by High-Tech Bridge Security Research Lab.

Chamilo LMS - Chamilo aims at bringing you the best e-learning and collaboration platform in the open source world.

SQL Injection vulnerability in Chamilo LMS exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. Exploitation example in advisory HTB23182 - SQL Injection in Chamilo LMS displays version of MySQL server. Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").

Solution: Edit the source code and apply changes according to vendor's instructions.

HTB23180: Tweet Blender 4.0.1 Wordpress Plugin cross-site scripting XSS

Tweet Blender Wordpress Plugin version 4.0.1 is vulnerable to perform cross-site scripting (XSS) attacks, discovered (HTB23180) by High-Tech Bridge Security Research Lab.

Tweet Blender Wordpress Plugin provides several Twitter widgets: show your own tweets, show tweets relevant to post's tags, show tweets for Twitter lists, show tweets for hasht.

Cross-Site Scripting (XSS) vulnerability in Tweet Blender exists due to insufficient sanitisation of user-supplied data in "tb_tab_index" HTTP POST parameter passed to "/wp-admin/options-general.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "ImmuniWeb" word:

<form action="http://[host]/wp-admin/options-general.php?page=tweet-blender/admin-page.php" method="post" name="main">
<input type="hidden" name="tb_tab_index" value='</script><script>alert("ImmuniWeb");</script>'>
<input type="submit" id="btn">
</form>


This vulnerability patched in Tweet Blender version 4.0.2

HTB23178: Zikula Application Framework cross-site scripting (XSS)

Zikula Application Framework version 1.3.5 build 20 and probably prior is vulnerable to perform XSS (cross-site scripting) attacks. Details of vulnerability are disclosed this week by High-Tech Bridge Security Research Lab.

Cross-site scripting (XSS) vulnerability in Zikula Application Framework exists due to insufficient sanitisation of user-supplied data in "returnpage" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution: Update to Zikula 1.3.6 build 19

Additional details available on researcher's page and on zikula.org.

HTB23177: SQL Injection in appRain

High-Tech Bridge Security Research Lab discovered vulnerability in appRain, which can be exploited to perform SQL Injection attacks.

Blind SQL Injection vulnerability in appRain is caused by insufficient validation of user-supplied data appended to "/blog-by-cat/" URL. Remote attacker can execute arbitrary SQL commands to read, modify or delete information in application's database.

The following exploitation example will display all posts from category 1, if the MySQL Server version is 5.x, otherwise no posts will be displayed:
http://[host]/blog-by-cat/1%20and%20substring(version(),1,1)=5/

Solution: Vendor did not reply to notifications, unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23177-patch.zip

Source: High-Tech Bridge Advisory HTB23177 - SQL Injection in appRain.

Yahoo launches $15,000 bug bounty program

Yahoo launches $15,000 bug bounty after $12.50 company voucher debacle
Web portal Yahoo launched a bug bounty programme on Friday following the scandal that unravelled last month, which saw a security firm rewarded with a $12.50 Yahoo Company Store voucher for uncovering a security flaw.

In what is good news for security researchers, Yahoo said that the bounty programme will now pay up to $15,000 to ethical hackers who find vulnerabilities in its web services, a much bigger reward than its previous policy of offering a company t-shirt. Read more at The Inquirer

Yahoo offers $15,000 to bug hunters
Yahoo is seeking to entice bug hunters with rewards up to $15,000 depending on the severity of the bug found. The web giant was criticized by security researchers for paying a measly $12.50 in Yahoo discount vouchers to security researchers at High-Tech Bridge for two cross site scripting (XSS) bugs they had reported. Yahoo's security head, Ramses Martinez, claimed later that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Read more at AfterDawn Oy

Following controversy, Yahoo officially launches bug bounty program
As promised, Yahoo formally kicked off its bug bounty program late last week, aiming to correct what many in the security industry viewed as misstep after it handed out a paltry $12.50 credit to a researcher for discovering a cross-site scripting error.

The company caught flak when in September when it was reported that the $12.50 – a scant prize as it is – came as a discount code that could be used toward Yahoo-branded merchandise like t-shirts, cups and pens from its store. Read more at Threatpost

HTB23176: Cross-Site Scripting (XSS) in GuppY

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in GuppY, which can be exploited to perform Cross-Site Scripting attacks against users of vulnerable application.

Cross-Site Scripting (XSS) in GuppY vulnerability exists due to insufficient sanitisation of user-supplied data in "an" HTTP GET parameter passed to "/agenda.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
http://[host]/agenda.php?agv=2&an=%22%20onmouseover%3dalert%28%27document.cookie%27%29%20%22

The second XSS vulnerability exists due to insufficient sanitisation of user-supplied data in "cat" HTTP GET parameter passed to "/mobile/thread.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
http://[host]/mobile/thread.php?cat=1%22%20onmouseover%3dalert%28%27document.cookie%27%29%20%22

Solution: Update to GuppY 4.6.28

Source: High-Tech Bridge security advisory HTB23176.