[DCA-2011-0003]: LMS Web Ensino - Multiple XSS, Session Fixation, CSRF and SQL Injection

[Flavio do Carmo Junior aka waKKu <carmo.flavio () dclabs com br>]

[DCA-2011-0003]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):

[Software]
- LMS Web Ensino

[Vendor Product Description - Portuguese]
- O Learning Management System (LMS) Web Ensino é uma ferramenta
completa para o gerenciamento e oferta de cursos e treinamentos à
distância. Versátil, sua construção e configuração permitem  uma
aplicação eficiente tanto para uso corporativo quanto acadêmico, de
pequena ou larga escala, podendo ser customizado de forma a atender as
mais diferentes demandas e a integração com sistemas legados. Oferece
segurança, desempenho e robustez, comprovados pelo uso em organizações
de diversos portes, atendendo mais de 200 mil usuários.
- Ao longo dos anos o LMS Web Ensino tem incorporado inovações que são
fruto de pesquisa e desenvolvimento junto às universidades e empresas
que utilizam o sistema no Brasil e na América Latina. Além de suas
características técnicas que o credenciam como um dos melhores LMS do
mercado, o Web Ensino conta com um diferencial intangível: o
comprometimento e a qualidade do atendimento da DEC, que pode ser
atestado por seus clientes.
- Fonte: http://www.webensino.com.br/?p=webensino

[Advisory Timeline]
- 14/Feb/2011 -> First notification sent, release date set to March 01, 2011.
- 14/Feb/2011 -> Vendor confirms notification received.
- 21/Feb/2011 -> Situation report requested.
- 01/Mar/2011 -> No vendor response.
- 02/Mar/2011 -> Advisory published.

[Bug Summary]
- Session Fixation
- Multiplos Persistent/Stored Cross-Site Scripting (XSS)
- Multiplos Non-Persistent Cross-Site Scripting (XSS)
- Cross Site Request Forgery (CSRF/XSRF)
- Blind SQL Injection (SQLi)

[Impact]
- High

[Affected Version]
- Latest (2011-02)
- Other versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]
+ Session Fixation
The application reuses a previous used cookie or injected one for
logins, this way a malicious user can take advantage of
shared-computers (very common in colleges) and steal victim
credentials, including teachers or administrators.

*All following flaws need an authenticated user*

+ Non-Pesistent XSS (Cross-Site Script)
Application fails in sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar

+ Persistent/Stored XSS (Cross-Site Script)
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=area_publicacao
. Incluir Publicação (New post) -> The "textarea" here doesn't
validate user input, allowing user to insert html/javascript commands.

+ Cross Site Request Forgery (CSRF)
The form responsible to change users profile and password doesn't use
either a token or confirmation before taking action.
An attacker can host a copy of the POST data and entice users to visit
his website to auto submit the POST data.
An attacker can use the previous XSS vulnerability to change the
password of all users visiting his post/note.

+ Blind SQL Injection
Application fails to sanitize/validate user input in, at least, one page:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=<SQLi>
example:
http://collegedomain.tld/lms/sistema/webensino/index.php?modo=itensCategoriaBiblioteca&codBibliotecaCategoria=-1%20or%201=1%20--%20end
Note: The recommended application setup is PHP+PostgreSQL, what can
provide us with stacked-queries to SQL, allowing a full database
control.


----------------------------------------------------------------------------------------

All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br

[Workarounds]
- No workaround was provided addressing this vulnerabilities.

[Credits]
DcLabs Security Research Group.


-- 
--
Atenciosamente,

Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com