Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Coursemill Learning Management System contains multiple vulnerabilities
Informations
Name VU#960908 First vendor Publication 2013-08-30
Vendor VU-CERT Last vendor Modification 2013-08-30
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#960908

Coursemill Learning Management System contains multiple vulnerabilities

Original Release date: 30 Aug 2013 | Last revised: 30 Aug 2013

Overview

Coursemill Learning Management System version 6.6 and 6.8 contains multiple vulnerabilities.

Description

CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3599

In Coursemill 6.6, when loading the home page (/coursemill/cm0660/home.html) the response to the userlogin.jsp request returns the user role as a parameter (passed to the client for processing). In Coursemill 6.8, this has been partially remediated. Privilege escalation is still possible without authentication.

CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3600
In Coursemill 6.6, the userid parameter is exploitable in certain functions. Using the "Edit Profile" function and replaying the request can result in access to another user (or privileged user's) information. It is unknown if this is remediated in version 6.8.

CWE-250: Execution with Unnecessary Privileges - CVE-2013-3601
In Coursemill 6.6, the application relies on JavaServer Pages (JSP) for user-executed functions. These function calls take an “op” parameter that tells the JSP which operation to run. Operations that should be restricted to administrators were found to be executable by users in a non-administrative Student role. This has been remediated in Coursemill 6.8

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2013-3602
In Coursemill 6.6, the following JSP call is intended to retrieve information about uploaded documents:
/coursemill/cm0660/admindocumentworker.jsp?op=info&docID=1&rndval=1348848360092&getAttrs=undefined

The docID parameter passes the numeric value of the document to the server which then retrieves the document data from the database. The application passes SQL statements directly from the user to the SQL server for processing. This has been remediated in Coursemill 6.8

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3603
In Coursemill 6.6, the application was observed to reflect error messages containing user-provided URL input directly to the browser without proper input validation and output encoding. This allows for a reflected XSS attack, whereby an attacker can pass a crafted link to a user which when clicked, executes malicious JavaScript to attack the user.

This is partially remediated in Coursemill 6.8. The application is still vulnerable to reflected XSS due to insufficient input validation and output encoding. The application attempts to remove event attributes by keyword - anything with the letters “on” (such as “onmouseover”) are removed. This can be defeated by inserting null bytes (%00) in between the “o” and the “n” which will evade the filter and allow the browser to execute the script. The additional validation step of removing closing brackets (“>” ) is also insufficient because some browsers, such as Internet Explorer, will tolerate lack of closing brackets and execute the HTML regardless.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3604
In Coursemill 6.6 and 6.8, a stored XSS attack is possible in several application inputs.
Coursemill 6.8 adds a filter for closing quotes, but does not filter other input (such as %22)

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-3605
Coursemill 6.6 relies on cookie values to authenticate a request from a user, rendering it vulnerable to CSRF attacks. Coursemill 6.8 adds CSRF tokens but they are constructed using predictable values (timestamps of the user).

Impact

An attacker can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which may result in information leakage or privilege escalation.

Solution

Apply an Update
Coursemill version 6.8 provides some remediation to these issues.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
TrivantisAffected12 Jun 201330 Aug 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal5.8E:POC/RL:U/RC:C
Environmental1.5CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://lectora.com/e-learning-software-downloads/

Credit

Thanks to Mike Czumak for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs:CVE-2013-3599CVE-2013-3600CVE-2013-3601CVE-2013-3602CVE-2013-3603CVE-2013-3604CVE-2013-3605
  • Date Public:30 Aug 2013
  • Date First Published:30 Aug 2013
  • Date Last Updated:30 Aug 2013
  • Document Revision:17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/960908

CWE : Common Weakness Enumeration

% Id Name
40 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
20 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
20 % CWE-20 Improper Input Validation
10 % CWE-264 Permissions, Privileges, and Access Controls
10 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2013-09-06 21:22:56
  • Multiple Updates
2013-09-06 17:22:35
  • Multiple Updates
2013-08-31 00:19:52
  • First insertion