=============================================================
        __   __          _    ___    _   __   ____         
        \ \ / /         | |  / _ \  (_) /_ | |___ \        
   ___   \ V /   _ __   | | | | | |  _   | |   __) |  _ __ 
  / _ \   > <   | '_ \  | | | | | | | |  | |  |__ <  | '__|
 |  __/  / . \  | |_) | | | | |_| | | |  | |  ___) | | |   
  \___| /_/ \_\ | .__/  |_|  \___/  |_|  |_| |____/  |_|   
                | |                                        
                |_|              blackpentesters.blogspot.com
=============================================================

# Exploit Title: [  eFront LMS v3.6.14 - build 18012 Multiple Vulnerabilities]				# Exploit Author: [ eXpl0i13r ]						     	     	  
# Vendor Homepage: [ http://www.efrontlearning.net/ ] 				  
# Software Link: [ http://sourceforge.net/projects/efrontlearning/files/latest/download ]		# Contact: [ expl0i13r@gmail.com ]
# Coordinated Disclosure

eFront LMS v3.6.14 - build 18012 is vulnerable to :

1. Arbitrary File Upload & Internal Path Disclosure 
2. Access to restricted folder ( Backup )


1. Arbitrary File Upload:
===========================

a. Import Course: 
------------------

URL : http://127.0.0.1/efront/www/professor.php?ctg=lessons&course=2&op=import_course

In "Import Course" module attacker can upload any arbitrary file by appending "%00" Example test%00 , test.php%00, test.txt%00 , and file will be uploaded into :

"C:\xampp\htdocs\[ efront ]\upload\professor\temp"

Once file is uploaded it throws error which discloses Web Applications Internal Path, which provides fair idea of Internal Directory Structure.

Error:
------
"Problem importing file: File does not exist: C:/xampp/htdocs/efront/upload/professor/temp/data.dat (102)" 



b. Personal Info (Account)
---------------------------

URL: http://127.0.0.1/efront/www/professor.php?ctg=personal&user=professor&op=profile

Attacker can upload arbitrary files by appending "%00" at the end of filename , Ex. test.php%00, file%00 , and file will be uploaded to "C:\xampp\htdocs\[ efront ]\upload\professor\avatars" in My case.


2. Read Arbitary Files:
-------------------------

Uploaded Avatars can be viewed using below link:

http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/efront/upload/professor/avatars/test.php%2500

Due to improper sanitization of "file" parameter attacker can view arbitary files especially from "backup" folder which in our case was readable by professor :

[-] Accessing Arbitary Files:
------------------------------

http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/[ efront ]/backups/.htaccess
http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/[ efront ]/upload/professor/temp/eFront.zip
http://127.0.0.1/efront/www/view_file.php?file=C%3A/xampp/htdocs/[ efront ]/www/php.ini


[-] Disclosure timeline:
-------------------------

[13/12/2013] - Vulnerabilities discovered
[13/12/2013] - Issues reported to Vendor by E-Mail
[17/12/2013] - Vendor update released [ v3.6.14.2 - build 18013 - build 18013 ]: http://forum.efrontlearning.net/viewtopic.php?f=15&t=8522
[18/12/2013] - Public disclosure