CVE-2023-45868 – CVE-2023-45868 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2023-45868?

CVE-2023-45868 has a CVSS score of 8.1 (HIGH). CVE-2023-45868 is a directory traversal vulnerability in ILIAS Learning Module 7.25 that allows authenticated attackers to relocate directories outside the document root to publicly accessible locations using manipulated POST requests. This exposes sensitive files and can cause denial of service by making original files unavailable. Organizations running ILIAS 7.25 with the Learning Module enabled are affected.

📋 TL;DR

CVE-2023-45868 is a directory traversal vulnerability in ILIAS Learning Module 7.25 that allows authenticated attackers to relocate directories outside the document root to publicly accessible locations using manipulated POST requests. This exposes sensitive files and can cause denial of service by making original files unavailable. Organizations running ILIAS 7.25 with the Learning Module enabled are affected.

💻 Affected Systems

Products:

ILIAS Learning Management System

Versions: ILIAS 7.25 (specifically 2023-09-12 release)

Operating Systems: Any OS running PHP and ILIAS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Learning Module to be enabled and attacker needs basic user privileges.

📦 What is this software?

Ilias by Ilias

View all CVEs affecting Ilias →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of sensitive system files (configuration files, credentials, databases) and denial of service for critical ILIAS components and underlying OS services.

🟠

Likely Case

Exposure of sensitive ILIAS data (user information, course materials) and disruption of specific learning modules through file relocation.

🟢

If Mitigated

Limited impact with proper input validation and file permission restrictions preventing directory traversal.

🌐 Internet-Facing: HIGH - Network-based vulnerability that can be exploited remotely by authenticated users.

🏢 Internal Only: HIGH - Even internal attackers with basic user privileges can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access and manipulation of POST parameters during exercise unit creation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ILIAS 7.25.1 or later

Vendor Advisory: https://docu.ilias.de/goto_docu_pg_145918_4791.html

Restart Required: No

Instructions:

1. Backup ILIAS installation and database. 2. Download latest ILIAS version from official repository. 3. Replace affected files with patched version. 4. Run ILIAS update script. 5. Verify Learning Module functionality.

🔧 Temporary Workarounds

Disable Learning Module

all

Temporarily disable the vulnerable Learning Module component

# Edit ILIAS configuration to disable Learning Module
# Specific commands depend on ILIAS installation method

Input Validation WAF Rule

linux

Implement web application firewall rules to block directory traversal patterns in POST requests

# Example ModSecurity rule:
SecRule ARGS "\.\./" "id:1001,phase:2,deny,msg:'Directory Traversal Attempt'

🧯 If You Can't Patch

Implement strict input validation for all POST parameters in the Learning Module
Restrict file system permissions to prevent PHP from moving directories outside document root

🔍 How to Verify

Check if Vulnerable:

Check ILIAS version in administration panel or by examining the ILIAS installation directory for version files. Verify if running 7.25 (2023-09-12 release).

Check Version:

Check ILIAS version via web interface at /ilias.php?baseClass=ilAdministrationGUI or examine ilInitialisation.php file

Verify Fix Applied:

After patching, attempt to reproduce the vulnerability by creating an exercise unit with directory traversal payloads in old_name/new_name parameters.

📡 Detection & Monitoring

Log Indicators:

POST requests to Learning Module with ../ patterns in parameters
PHP rename() function errors showing path traversal attempts
Unexpected file system operations in ILIAS directories

Network Indicators:

HTTP POST requests containing directory traversal sequences (\.\./) to exercise creation endpoints

SIEM Query:

source="web_logs" AND (uri_path="*LearningModule*" OR uri_path="*exercise*" OR uri_path="*ilExerciseHandler*" OR uri_path="*ilObjExerciseGUI*") AND http_method="POST" AND (request_body LIKE "%..%" OR request_body LIKE "%old_name%" OR request_body LIKE "%new_name%")

📊 Metadata

CVE ID: CVE-2023-45868

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-22

Published: October 26, 2023

Last Updated: November 21, 2024

🔗 References

https://rehmeinfosec.de Third Party Advisory
https://rehmeinfosec.de/labor/cve-2023-45867 Exploit,Third Party Advisory
https://rehmeinfosec.de Third Party Advisory
https://rehmeinfosec.de/labor/cve-2023-45867 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45868, you might also want to check these: