[DCA-2011-0003]: LMS Web Ensino - Multiple XSS, Session Fixation,- CSRF and SQL Injection

From: Flavio do Carmo Junior aka waKKu <carmo.flavio@dclabs.com.br>
To: bugtraq@securityfocus.com
Cc:
Subject: [DCA-2011-0003]: LMS Web Ensino - Multiple XSS, Session Fixation,- CSRF and SQL Injection
Date:


[DCA-2011-0003]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):

[Software]
- LMS Web Ensino

[Vendor Product Description - Portuguese]
- O Learning Management System (LMS) Web Ensino  uma ferramenta
completa para o gerenciamento e oferta de cursos e treinamentos 
distncia. Verstil, sua construo e configurao permitem  uma
aplicao eficiente tanto para uso corporativo quanto acadmico, de
pequena ou larga escala, podendo ser customizado de forma a atender as
mais diferentes demandas e a integrao com sistemas legados. Oferece
segurana, desempenho e robustez, comprovados pelo uso em organizaes
de diversos portes, atendendo mais de 200 mil usurios.
- Ao longo dos anos o LMS Web Ensino tem incorporado inovaes que so
fruto de pesquisa e desenvolvimento junto s universidades e empresas
que utilizam o sistema no Brasil e na Amrica Latina. Alm de suas
caractersticas tcnicas que o credenciam como um dos melhores LMS do
mercado, o Web Ensino conta com um diferencial intangvel: o
comprometimento e a qualidade do atendimento da DEC, que pode ser
atestado por seus clientes.
- Fonte: http://www.webensino.com.br/?p=webensino

[Advisory Timeline]
- 14/Feb/2011 -> First notification sent, release date set to March 01, 2011.
- 14/Feb/2011 -> Vendor confirms notification received.
- 21/Feb/2011 -> Situation report requested.
- 01/Mar/2011 -> No vendor response.
- 02/Mar/2011 -> Advisory published.

[Bug Summary]
- Session Fixation
- Multiplos Persistent/Stored Cross-Site Scripting (XSS)
- Multiplos Non-Persistent Cross-Site Scripting (XSS)
- Cross Site Request Forgery (CSRF/XSRF)
- Blind SQL Injection (SQLi)

[Impact]
- High

[Affected Version]
- Latest (2011-02)
- Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]
+ Session Fixation
The application reuses a previous used cookie or injected one for
logins, this way a malicious user can take advantage of
shared-computers (very common in colleges) and steal victim
credentials, including teachers or administrators.

*All following flaws need an authenticated user*

+ Non-Pesistent XSS (Cross-Site Script)
Application fails in sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar

+ Persistent/Stored XSS (Cross-Site Script)
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=area_publicacao
. Incluir Publicao (New post) -> The "textarea" here doesn't
validate user input, allowing user to insert html/javascript commands.

+ Cross Site Request Forgery (CSRF)
The form responsible to change users profile and password doesn't use
either a token or confirmation before taking action.
An attacker can host a copy of the POST data and entice users to visit
his website to auto submit the POST data.
An attacker can use the previous XSS vulnerability to change the
password of all users visiting his post/note.

+ Blind SQL Injection
Application fails to sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=<SQLi>
example:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=-1%20or%201=1%20--%20end
Note: The recommended application setup is PHP+PostgreSQL, what can
provide us with stacked-queries to SQL, allowing a full database
control.


----------------------------------------------------------------------------------------

All flaws described here were discovered and researched by:
Flvio do Carmo Jnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]
- No workaround was provided addressing this vulnerabilities.

[Credits]
DcLabs Security Research Group.


-- 
--
Atenciosamente,

Flvio do Carmo Jnior aka waKKu @ DcLabs
Florianpolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.