Two Reflected Cross-Site Scripting (XSS) Vulnerabilities in Forma Lms

High-Tech Bridge Security Research Lab discovered two vulnerabilities in Forma Lms, which can be exploited to perform Cross-Site Scripting (XSS) attacks against vulnerable website.

1. Reflected Cross-Site Scripting (XSS) in Forma Lms: CVE-2014-5257

1.1 The vulnerability exists due to insufficient sanitization of input data passed via the “id_custom” HTTP GET parameter to “/appCore/index.php”. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Further exploitation of the vulnerability may allow an attacker to use advanced techniques to gain full control over the browser session and perform arbitrary tasks with privileges of the logged-in user.

The exploitation example below uses the “alert()” JavaScript function to display “immuniweb” word:

http://formalms/appCore/index.php?modname=amanmenu&op=modcustom&id_custom=%2 2%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E

1.2 The vulnerability exists due to insufficient sanitization of input data passed via the “id_game” HTTP GET parameter to “/appCore/index.php”. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Further exploitation of the vulnerability may allow an attacker to use advanced techniques to gain full control over the browser session and perform arbitrary tasks with privileges of the logged-in user.

The exploitation example below uses the “alert()” JavaScript function to display “immuniweb” word:

http://formalms/appCore/index.php?r=alms/games/edit&amp;id_game="><script% 3Ealert%28/immuniweb/%29;%3C/script%3E