Chamilo LCMS Connect 4.1 Clickjacking

2015-03-27T00:00:00
ID PACKETSTORM:131066
Type packetstorm
Reporter Vadodil Joel Varghese
Modified 2015-03-27T00:00:00

Description

                                        
                                            `Hi Team,  
  
#Affected Vendor: http://lcms.chamilo.org/  
#Date: 27/03/2015  
#Discovered by: Joel Vadodil Varghese  
#Type of vulnerability: Clickjacking  
#Tested on: Windows 7  
#Product: LCMS Connect  
#Version: 4.1  
#Description: Chamilo is an open-source (under GNU/GPL licensing)  
e-learning and content management system, aimed at improving access to  
education and knowledge globally. Chamilo LCMS is a completely new software  
platform for e-learning and collaboration. Framing involves placing one  
webpage within another webpage by use of the iframe HTML element. One  
familiar use of iframes is to embed maps within web pages. LCMS connect is  
susceptible to clickjacking attack.  
  
#Proof of Concept (PoC):  
------------------------------------  
<iframe src="http://localhost/Chamilo/" sanboxed width=900 height=900>  
Please check me out !!!!  
</iframe>  
  
--   
Regards,  
  
*Joel V*  
`