Date: Thu, 8 Mar 2018 19:41:23 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Vulnerabilities and default credentials in Ilias e-learning software / German gov hack Hi, You may have heard that the German government has been hacked recently. As we learned today the entry point of the hack likely happened via the e-learning software Ilias. It's an opensource PHP-based software: https://www.ilias.de/ We had an article about this today on Golem.de and we also created an English translation: https://www.golem.de/news/government-hack-hack-on-german-government-via-e-learning-software-ilias-1803-133231.html While we don't know what exactly happened, Ilias itself seems to have had quite a few vulnerabilties in the past: Arbitrary copying of files https://lists.ilias.de/pipermail/ilias-admins/2017-March/000020.html Cross Site Scripting in SVG import https://lists.ilias.de/pipermail/ilias-admins/2017-April/000024.html Cross Site Scripting due to lack of escaping https://lists.ilias.de/pipermail/ilias-admins/2017-June/000034.html System emails sometimes get delivered to the wrong people https://lists.ilias.de/pipermail/ilias-admins/2017-August/000047.html Vulnerability in handling of media files with unknown impact https://lists.ilias.de/pipermail/ilias-admins/2017-October/000053.html Reflected cross site scripting https://lists.ilias.de/pipermail/ilias-admins/2018-February/000064.html Appart from all that the software by default creates an administrator account with the default username "root" and password "homer". The user is neither forced nor asked to change these. (Opinions here may differ, but in my opinion default credentials are a design vulnerability on their own.) If you happen to run Ilias please update to the latest version and make sure that you have changed the password for the "root" account. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ