[DCA-2011-0003]
[Discussion]
[Software]
[Vendor Product Description - Portuguese]
[Advisory Timeline]
[Bug Summary]
[Impact]
[Affected Version]
[Bug Description and Proof of Concept]
All following flaws need an authenticated user
Non-Pesistent XSS (Cross-Site Script)
Application fails in sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar
Persistent/Stored XSS (Cross-Site Script)
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=area_publicacao
. Incluir Publicação (New post) -> The "textarea" here doesn't
validate user input, allowing user to insert html/javascript commands.
Cross Site Request Forgery (CSRF)
The form responsible to change users profile and password doesn't use
either a token or confirmation before taking action.
An attacker can host a copy of the POST data and entice users to visit
his website to auto submit the POST data.
An attacker can use the previous XSS vulnerability to change the
password of all users visiting his post/note.
Blind SQL Injection
Application fails to sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=<SQLi>
example:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=-1%20or%201=1%20--%20end
Note: The recommended application setup is PHP+PostgreSQL, what can
provide us with stacked-queries to SQL, allowing a full database
control.
All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br
[Workarounds]
[Credits]
DcLabs Security Research Group.
Atenciosamente,
Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com