lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTin6iuPSEX-9b9DmbKiqnH-v9H9hyFJ8kys2yfQy@mail.gmail.com>
Date: Fri, 4 Mar 2011 10:19:05 -0300
From: Flavio do Carmo Junior aka waKKu <carmo.flavio@...abs.com.br>
To: bugtraq@...urityfocus.com
Subject: [DCA-2011-0003]: LMS Web Ensino - Multiple XSS, Session Fixation,
 CSRF and SQL Injection

[DCA-2011-0003]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):

[Software]
- LMS Web Ensino

[Vendor Product Description - Portuguese]
- O Learning Management System (LMS) Web Ensino é uma ferramenta
completa para o gerenciamento e oferta de cursos e treinamentos à
distância. Versátil, sua construção e configuração permitem  uma
aplicação eficiente tanto para uso corporativo quanto acadêmico, de
pequena ou larga escala, podendo ser customizado de forma a atender as
mais diferentes demandas e a integração com sistemas legados. Oferece
segurança, desempenho e robustez, comprovados pelo uso em organizações
de diversos portes, atendendo mais de 200 mil usuários.
- Ao longo dos anos o LMS Web Ensino tem incorporado inovações que são
fruto de pesquisa e desenvolvimento junto às universidades e empresas
que utilizam o sistema no Brasil e na América Latina. Além de suas
características técnicas que o credenciam como um dos melhores LMS do
mercado, o Web Ensino conta com um diferencial intangível: o
comprometimento e a qualidade do atendimento da DEC, que pode ser
atestado por seus clientes.
- Fonte: http://www.webensino.com.br/?p=webensino

[Advisory Timeline]
- 14/Feb/2011 -> First notification sent, release date set to March 01, 2011.
- 14/Feb/2011 -> Vendor confirms notification received.
- 21/Feb/2011 -> Situation report requested.
- 01/Mar/2011 -> No vendor response.
- 02/Mar/2011 -> Advisory published.

[Bug Summary]
- Session Fixation
- Multiplos Persistent/Stored Cross-Site Scripting (XSS)
- Multiplos Non-Persistent Cross-Site Scripting (XSS)
- Cross Site Request Forgery (CSRF/XSRF)
- Blind SQL Injection (SQLi)

[Impact]
- High

[Affected Version]
- Latest (2011-02)
- Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]
+ Session Fixation
The application reuses a previous used cookie or injected one for
logins, this way a malicious user can take advantage of
shared-computers (very common in colleges) and steal victim
credentials, including teachers or administrators.

*All following flaws need an authenticated user*

+ Non-Pesistent XSS (Cross-Site Script)
Application fails in sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar

+ Persistent/Stored XSS (Cross-Site Script)
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=area_publicacao
. Incluir Publicação (New post) -> The "textarea" here doesn't
validate user input, allowing user to insert html/javascript commands.

+ Cross Site Request Forgery (CSRF)
The form responsible to change users profile and password doesn't use
either a token or confirmation before taking action.
An attacker can host a copy of the POST data and entice users to visit
his website to auto submit the POST data.
An attacker can use the previous XSS vulnerability to change the
password of all users visiting his post/note.

+ Blind SQL Injection
Application fails to sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=<SQLi>
example:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=-1%20or%201=1%20--%20end
Note: The recommended application setup is PHP+PostgreSQL, what can
provide us with stacked-queries to SQL, allowing a full database
control.


----------------------------------------------------------------------------------------

All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]
- No workaround was provided addressing this vulnerabilities.

[Credits]
DcLabs Security Research Group.


-- 
--
Atenciosamente,

Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ