Dokeos 2.2 RC2 (index.php, language param) - SQL Injection Vulnerability

2013-12-03T00:00:00
ID 1337DAY-ID-21611
Type zdt
Reporter jagguar
Modified 2013-12-03T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos, which can be exploited to perform SQL Injection attacks.
 
 
1) SQL Injection in Dokeos: CVE-2013-6341
 
The vulnerability exists due to insufficient validation of "language" HTTP GET parameter passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database and gain complete control over the vulnerable web application.
 
The following exploitation example displays version of MySQL server:
 
http://[host]/index.php?language=0%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8%20--%202
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Vendor did not reply to 6 notifications by email, 1 notification via twitter, 2 forum threads/direct messages. Currently we are not aware of any official solution for this vulnerability.
 
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23181 - https://www.htbridge.com/advisory/HTB23181 - SQL Injection in Dokeos.
[2] Dokeos - http://www.dokeos.com/ - Dokeos, the flexible, enterprise-ready e-learning software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

#  0day.today [2018-01-10]  #