Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Claroline 1.7.2, sso identification vulnerability
From: karmaguedon () hotmail com
Date: 20 Jan 2006 17:27:26 -0000
hi,
this is what we can read in file "/claroline/inc/claro_init_local.inc.php" :

[...]
$ssoCookieValue      = md5( mktime() );

                $sql = "UPDATE `".$tbl_sso."`
                        SET cookie    = '".$ssoCookieValue."',
                            rec_time  = NOW()
                        WHERE user_id = ". (int) $_uid;

                $affectedRowCount = claro_sql_query_affected_rows($sql);

                if ($affectedRowCount < 1)
                {
                    $sql = "INSERT INTO `".$tbl_sso."`
                            SET cookie    = '".$ssoCookieValue."',
                                rec_time  = NOW(),
                                user_id   = ". (int) $_uid;

                    claro_sql_query($sql);
                }

               $boolCookie = setcookie($ssoCookieName, $ssoCookieValue,
                                       $ssoCookieExpireTime,
                                       $ssoCookiePath, $ssoCookieDomain);
[...]

so, the cookie value must be always unknown.
in this code, the cookie value is the md5 value of the connection time ! really unknown ? no.

solution :
desactivate sso service
or
replace mktime() by rand(100,1000000) (for e.g)

  By Date           By Thread  

Current thread:
  • Claroline 1.7.2, sso identification vulnerability karmaguedon (Jan 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]