[DCA-2011-0003] [Discussion] - DcLabs Security Research Group advises about following vulnerability(ies): [Software] - LMS Web Ensino [Vendor Product Description - Portuguese] - O Learning Management System (LMS) Web Ensino é uma ferramenta completa para o gerenciamento e oferta de cursos e treinamentos à distância. Versátil, sua construção e configuração permitem uma aplicação eficiente tanto para uso corporativo quanto acadêmico, de pequena ou larga escala, podendo ser customizado de forma a atender as mais diferentes demandas e a integração com sistemas legados. Oferece segurança, desempenho e robustez, comprovados pelo uso em organizações de diversos portes, atendendo mais de 200 mil usuários. - Ao longo dos anos o LMS Web Ensino tem incorporado inovações que são fruto de pesquisa e desenvolvimento junto às universidades e empresas que utilizam o sistema no Brasil e na América Latina. Além de suas características técnicas que o credenciam como um dos melhores LMS do mercado, o Web Ensino conta com um diferencial intangível: o comprometimento e a qualidade do atendimento da DEC, que pode ser atestado por seus clientes. - Fonte: http://www.webensino.com.br/?p=webensino [Advisory Timeline] - 14/Feb/2011 -> First notification sent, release date set to March 01, 2011. - 14/Feb/2011 -> Vendor confirms notification received. - 21/Feb/2011 -> Situation report requested. - 01/Mar/2011 -> No vendor response. - 02/Mar/2011 -> Advisory published. [Bug Summary] - Session Fixation - Multiplos Persistent/Stored Cross-Site Scripting (XSS) - Multiplos Non-Persistent Cross-Site Scripting (XSS) - Cross Site Request Forgery (CSRF/XSRF) - Blind SQL Injection (SQLi) [Impact] - High [Affected Version] - Latest (2011-02) - Other versions can also be affected but weren't tested. [Bug Description and Proof of Concept] + Session Fixation The application reuses a previous used cookie or injected one for logins, this way a malicious user can take advantage of shared-computers (very common in colleges) and steal victim credentials, including teachers or administrators. *All following flaws need an authenticated user* + Non-Pesistent XSS (Cross-Site Script) Application fails in sanitize/validate user input in, at least, one page: http://collegedomain.tld/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar + Persistent/Stored XSS (Cross-Site Script) http://collegedomain.tld/lms/sistema/webensino/index.php?modo=area_publicacao . Incluir Publicação (New post) -> The "textarea" here doesn't validate user input, allowing user to insert html/javascript commands. + Cross Site Request Forgery (CSRF) The form responsible to change users profile and password doesn't use either a token or confirmation before taking action. An attacker can host a copy of the POST data and entice users to visit his website to auto submit the POST data. An attacker can use the previous XSS vulnerability to change the password of all users visiting his post/note. + Blind SQL Injection Application fails to sanitize/validate user input in, at least, one page: http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria= example: http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=-1%20or%201=1%20--%20end Note: The recommended application setup is PHP+PostgreSQL, what can provide us with stacked-queries to SQL, allowing a full database control. ---------------------------------------------------------------------------------------- All flaws described here were discovered and researched by: Flávio do Carmo Júnior aka waKKu. DcLabs Security Research Group carmo.flavio dclabs com br [Workarounds] - No workaround was provided addressing this vulnerabilities. [Credits] DcLabs Security Research Group. -- -- Atenciosamente, Flávio do Carmo Júnior aka waKKu @ DcLabs Florianópolis/SC http://br.linkedin.com/in/carmoflavio http://0xcd80.wordpress.com