LMS Web Ensino XSRF / XSS / SQL Injection / Session Fixation

`[DCA-2011-0003]  
  
  
[Discussion]  
- DcLabs Security Research Group advises about following vulnerability(ies):  
  
[Software]  
- LMS Web Ensino  
  
[Vendor Product Description - Portuguese]  
- O Learning Management System (LMS) Web Ensino é uma ferramenta  
completa para o gerenciamento e oferta de cursos e treinamentos à  
distância. Versátil, sua construção e configuração permitem uma  
aplicação eficiente tanto para uso corporativo quanto acadêmico, de  
pequena ou larga escala, podendo ser customizado de forma a atender as  
mais diferentes demandas e a integração com sistemas legados. Oferece  
segurança, desempenho e robustez, comprovados pelo uso em organizações  
de diversos portes, atendendo mais de 200 mil usuários.  
- Ao longo dos anos o LMS Web Ensino tem incorporado inovações que são  
fruto de pesquisa e desenvolvimento junto às universidades e empresas  
que utilizam o sistema no Brasil e na América Latina. Além de suas  
características técnicas que o credenciam como um dos melhores LMS do  
mercado, o Web Ensino conta com um diferencial intangível: o  
comprometimento e a qualidade do atendimento da DEC, que pode ser  
atestado por seus clientes.  
- Fonte: http://www.webensino.com.br/?p=webensino  
  
[Advisory Timeline]  
- 14/Feb/2011 -> First notification sent, release date set to March 01, 2011.  
- 14/Feb/2011 -> Vendor confirms notification received.  
- 21/Feb/2011 -> Situation report requested.  
- 01/Mar/2011 -> No vendor response.  
- 02/Mar/2011 -> Advisory published.  
  
[Bug Summary]  
- Session Fixation  
- Multiplos Persistent/Stored Cross-Site Scripting (XSS)  
- Multiplos Non-Persistent Cross-Site Scripting (XSS)  
- Cross Site Request Forgery (CSRF/XSRF)  
- Blind SQL Injection (SQLi)  
  
[Impact]  
- High  
  
[Affected Version]  
- Latest (2011-02)  
- Other versions can also be affected but weren't tested.  
  
[Bug Description and Proof of Concept]  
+ Session Fixation  
The application reuses a previous used cookie or injected one for  
logins, this way a malicious user can take advantage of  
shared-computers (very common in colleges) and steal victim  
credentials, including teachers or administrators.  
  
*All following flaws need an authenticated user*  
  
+ Non-Pesistent XSS (Cross-Site Script)  
Application fails in sanitize/validate user input in, at least, one page:  
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar  
  
+ Persistent/Stored XSS (Cross-Site Script)  
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=area_publicacao  
. Incluir Publicação (New post) -> The "textarea" here doesn't  
validate user input, allowing user to insert html/javascript commands.  
  
+ Cross Site Request Forgery (CSRF)  
The form responsible to change users profile and password doesn't use  
either a token or confirmation before taking action.  
An attacker can host a copy of the POST data and entice users to visit  
his website to auto submit the POST data.  
An attacker can use the previous XSS vulnerability to change the  
password of all users visiting his post/note.  
  
+ Blind SQL Injection  
Application fails to sanitize/validate user input in, at least, one page:  
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=<SQLi>  
example:  
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=-1%20or%201=1%20--%20end  
Note: The recommended application setup is PHP+PostgreSQL, what can  
provide us with stacked-queries to SQL, allowing a full database  
control.  
  
  
----------------------------------------------------------------------------------------  
  
All flaws described here were discovered and researched by:  
Flávio do Carmo Júnior aka waKKu.  
DcLabs Security Research Group  
carmo.flavio <AT> dclabs <DOT> com <DOT> br  
  
[Workarounds]  
- No workaround was provided addressing this vulnerabilities.  
  
[Credits]  
DcLabs Security Research Group.  
  
  
--   
--  
Atenciosamente,  
  
Flávio do Carmo Júnior aka waKKu @ DcLabs  
Florianópolis/SC  
http://br.linkedin.com/in/carmoflavio  
http://0xcd80.wordpress.com  
`